feat(pr-merge): bypass audit-marker requirement on chore(deps) PRs#246
Merged
Conversation
The pr-merge-audit-check hook denies `gh pr merge` until one of three audit signals is present (local marker, GAIA-Audit trailer, GitHub commit status). For chore(deps) PRs from the /update-deps wrapper, the local quality gate (typecheck + lint + vitest + playwright + build) is already the equivalent signal — requiring a separate audit marker is redundant. Add a fourth accepted signal: a `gh pr view` lookup of the PR title. When it matches `^chore\(deps(-dev)?\):`, the bypass fires and the merge is allowed. Fall-through is deliberately restrictive: any failure to query the PR title (no gh, no auth, no PR for the current branch, network error) falls through to the normal deny path. The bypass is opt-in proof, not a fallback that softens the gate when the network is unreliable. This mirrors the same chore(deps) skip already applied to code-review-audit.yml, tests.yml, and chromatic.yml — all four surfaces release together on dep-bump PRs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
|
code-review-audit skipped: no audit-relevant files changed in this PR |
GAIA-Audit: 1.3.3 a4f0ce5
Contributor
|
code-review-audit skipped: no audit-relevant files changed in this PR |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a chore(deps) bypass to the
pr-merge-audit-check.shhook so dep-bump PRs from/update-depsare turnkey to merge — no separate audit run required. Mirrors the same skip narrowing already applied to the three required CI workflows in #245.Mechanism
gh pr view --json title --jq .titlereads the current branch's PR title. If it matches^chore\(deps(-dev)?\):, the hook exits 0 and the merge proceeds.The bypass runs only after the three existing signals (local marker, GAIA-Audit trailer, GitHub commit status) have all missed — same pattern as the existing GitHub-status fallback. Any failure to query (no
gh, no auth, no PR for the current branch, network error) falls through to the normal deny path. The bypass is opt-in proof, not a fallback that softens the gate.Why this scope
The /update-deps wrapper runs the full quality gate (typecheck + lint + vitest + playwright + build) locally before pushing. That's equivalent evidence to a separate code-review-audit run. With the three required workflows already skipping on
chore(deps):, requiring a local audit marker was the last barrier — this PR removes it.Other
chore:prefixes (chore: bump version, etc.) still require the marker. Pattern is anchored, exact prefix match.Test plan
bash -nclean on the modified hook.shellcheckclean on the modified hook (only pre-existing SC1091 info note remains).🤖 Generated with Claude Code