privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

chore: remove auto-merge workflow

Browse Source 
Board denied auto-merge (PRI-93). Workflow was never activated — secrets were never provisioned. Removes dead code from main.

PR #110 | PRI-237
This commit is contained in:
privilegedescalation-engineer[bot]
2026-04-23 03:44:37 +00:00
committed by GitHub
parent 3dfe2d265b
commit ad87961575
1 changed files with 0 additions and 155 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/auto-merge.yaml
-155
View File
@@ -1,155 +0,0 @@
name: Auto Merge
on:
pull_request_review:
types: [submitted, dismissed]
pull_request:
types: [opened, reopened, synchronize]
jobs:
auto-merge:
name: Auto Merge (QA + CTO Approved)
runs-on: runners-privilegedescalation
timeout-minutes: 5
steps:
- name: Check dual approval
id: check
env:
GH_TOKEN: ${{ github.token }}
CTO_REVIEWER: privilegedescalation-cto
QA_REVIEWER: privilegedescalation-qa
REPO: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
echo "Checking approvals on PR #${PR_NUMBER} in ${REPO}"
if [ -z "${{ vars.CTO_APP_ID }}" ] || [ -z "${{ vars.CTO_APP_INSTALLATION_ID }}" ] || [ -z "${{ secrets.CTO_APP_PEM }}" ]; then
echo "::error::Missing CTO app configuration. Set CTO_APP_ID, CTO_APP_INSTALLATION_ID (repository variables), and CTO_APP_PEM (secret) before enabling auto-merge. See PRI-103."
exit 1
fi
REVIEWS=$(curl -sf \
-H "Authorization: Bearer ${GH_TOKEN}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \
'[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
# Note: GitHub review model returns all reviews; `last` here intentionally picks the most recent review per user.
# A user cannot have two approvals on the same PR, so this correctly checks whether the latest review is an approval.
QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \
'[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
# Note: Same as above — `last` per user reflects the most recent review state.
echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}"
echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}"
if [ "${CTO_APPROVED}" = "true" ] && [ "${QA_APPROVED}" = "true" ]; then
echo "Both CTO and QA have approved."
echo "approved=true" >> "$GITHUB_OUTPUT"
else
echo "Dual approval not yet complete. Skipping merge."
if [ "${CTO_APPROVED}" != "true" ]; then
echo " Missing: CTO approval from ${CTO_REVIEWER}"
fi
if [ "${QA_APPROVED}" != "true" ]; then
echo " Missing: QA approval from ${QA_REVIEWER}"
fi
echo "approved=false" >> "$GITHUB_OUTPUT"
exit 1
fi
- name: Check PR merge readiness
if: steps.check.outputs.approved == 'true'
env:
GH_TOKEN: ${{ github.token }}
REPO: ${{ github.repository }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
echo "Checking merge readiness for PR #${PR_NUMBER}"
PR_STATE=$(curl -sf \
-H "Authorization: Bearer ${GH_TOKEN}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.mergeable_state')
echo "PR mergeable_state: ${PR_STATE}"
if [ "${PR_STATE}" = "clean" ] || [ "${PR_STATE}" = "unstable" ] || [ "${PR_STATE}" = "has_hooks" ]; then
echo "All required status checks passed."
elif [ "${PR_STATE}" = "blocked" ]; then
echo "PR is blocked (required checks not passing)."
exit 1
elif [ "${PR_STATE}" = "dirty" ]; then
echo "PR has merge conflicts. Cannot auto-merge."
exit 1
elif [ "${PR_STATE}" = "behind" ]; then
echo "PR is behind base branch. Cannot auto-merge."
exit 1
else
echo "PR state is '${PR_STATE}' — waiting for checks to complete."
exit 1
fi
- name: Generate CTO app installation token
if: steps.check.outputs.approved == 'true'
id: cto-token
run: |
echo "Generating CTO app installation token for merge..."
CTO_PEM_FILE=$(mktemp)
printf '%s' "${{ secrets.CTO_APP_PEM }}" > "$CTO_PEM_FILE"
chmod 600 "$CTO_PEM_FILE"
b64enc() { openssl enc -base64 -A | tr '+/' '-_' | tr -d '='; }
NOW=$(date +%s)
HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | jq -r -c .)
PAYLOAD=$(printf '{"iat":%s,"exp":%s,"iss":"%s"}' "$NOW" "$((NOW + 600))" "${{ vars.CTO_APP_ID }}" | jq -r -c .)
SIGNED=$(printf '%s' "$HEADER" | b64enc).$(printf '%s' "$PAYLOAD" | b64enc)
SIG=$(printf '%s' "$SIGNED" | openssl dgst -sha256 -sign "$CTO_PEM_FILE" | b64enc)
JWT="${SIGNED}.${SIG}"
rm -f "$CTO_PEM_FILE"
CTO_TOKEN=$(curl -s -X POST \
-H "Authorization: Bearer ${JWT}" \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/app/installations/${{ vars.CTO_APP_INSTALLATION_ID }}/access_tokens" \
| jq -r '.token')
echo "cto_token=${CTO_TOKEN}" >> "$GITHUB_OUTPUT"
- name: Install GitHub CLI
if: steps.check.outputs.approved == 'true'
run: |
if ! command -v gh &>/dev/null; then
GH_VERSION="2.74.0"
curl -fsSL "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz" -o /tmp/gh.tar.gz
tar -xzf /tmp/gh.tar.gz -C /tmp
mkdir -p "$HOME/.local/bin"
mv "/tmp/gh_${GH_VERSION}_linux_amd64/bin/gh" "$HOME/.local/bin/gh"
rm -rf /tmp/gh.tar.gz "/tmp/gh_${GH_VERSION}_linux_amd64"
echo "$HOME/.local/bin" >> "$GITHUB_PATH"
"$HOME/.local/bin/gh" --version
fi
- name: Enable auto-merge
if: steps.check.outputs.approved == 'true'
env:
GH_TOKEN: ${{ steps.cto-token.outputs.cto_token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
echo "Enabling auto-merge for PR #${PR_NUMBER}"
if ! "$HOME/.local/bin/gh" pr merge "${PR_NUMBER}" --auto --squash --delete-branch 2>&1; then
echo "::warning::Auto-merge not available. Falling back to direct squash merge."
"$HOME/.local/bin/gh" pr merge "${PR_NUMBER}" --squash --delete-branch
else
echo "Auto-merge enabled successfully."
fi