From ad879615752cf0d175dbc461f90356f78cd8a9b1 Mon Sep 17 00:00:00 2001
From: "privilegedescalation-engineer[bot]"
 <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com>
Date: Thu, 23 Apr 2026 03:44:37 +0000
Subject: [PATCH] chore: remove auto-merge workflow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Board denied auto-merge (PRI-93). Workflow was never activated — secrets were never provisioned. Removes dead code from main.

PR #110 | PRI-237
---
 .github/workflows/auto-merge.yaml | 155 ------------------------------
 1 file changed, 155 deletions(-)
 delete mode 100644 .github/workflows/auto-merge.yaml

diff --git a/.github/workflows/auto-merge.yaml b/.github/workflows/auto-merge.yaml
deleted file mode 100644
index f6c9f75..0000000
--- a/.github/workflows/auto-merge.yaml
+++ /dev/null
@@ -1,155 +0,0 @@
-name: Auto Merge
-
-on:
-  pull_request_review:
-    types: [submitted, dismissed]
-  pull_request:
-    types: [opened, reopened, synchronize]
-
-jobs:
-  auto-merge:
-    name: Auto Merge (QA + CTO Approved)
-    runs-on: runners-privilegedescalation
-    timeout-minutes: 5
-
-    steps:
-      - name: Check dual approval
-        id: check
-        env:
-          GH_TOKEN: ${{ github.token }}
-          CTO_REVIEWER: privilegedescalation-cto
-          QA_REVIEWER: privilegedescalation-qa
-          REPO: ${{ github.repository }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          echo "Checking approvals on PR #${PR_NUMBER} in ${REPO}"
-
-          if [ -z "${{ vars.CTO_APP_ID }}" ] || [ -z "${{ vars.CTO_APP_INSTALLATION_ID }}" ] || [ -z "${{ secrets.CTO_APP_PEM }}" ]; then
-            echo "::error::Missing CTO app configuration. Set CTO_APP_ID, CTO_APP_INSTALLATION_ID (repository variables), and CTO_APP_PEM (secret) before enabling auto-merge. See PRI-103."
-            exit 1
-          fi
-
-          REVIEWS=$(curl -sf \
-            -H "Authorization: Bearer ${GH_TOKEN}" \
-            -H "Accept: application/vnd.github.v3+json" \
-            "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
-
-          CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \
-            '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
-
-          # Note: GitHub review model returns all reviews; `last` here intentionally picks the most recent review per user.
-          # A user cannot have two approvals on the same PR, so this correctly checks whether the latest review is an approval.
-
-          QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \
-            '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
-
-          # Note: Same as above — `last` per user reflects the most recent review state.
-
-          echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}"
-          echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}"
-
-          if [ "${CTO_APPROVED}" = "true" ] && [ "${QA_APPROVED}" = "true" ]; then
-            echo "Both CTO and QA have approved."
-            echo "approved=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "Dual approval not yet complete. Skipping merge."
-            if [ "${CTO_APPROVED}" != "true" ]; then
-              echo "  Missing: CTO approval from ${CTO_REVIEWER}"
-            fi
-            if [ "${QA_APPROVED}" != "true" ]; then
-              echo "  Missing: QA approval from ${QA_REVIEWER}"
-            fi
-            echo "approved=false" >> "$GITHUB_OUTPUT"
-            exit 1
-          fi
-
-      - name: Check PR merge readiness
-        if: steps.check.outputs.approved == 'true'
-        env:
-          GH_TOKEN: ${{ github.token }}
-          REPO: ${{ github.repository }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          echo "Checking merge readiness for PR #${PR_NUMBER}"
-
-          PR_STATE=$(curl -sf \
-            -H "Authorization: Bearer ${GH_TOKEN}" \
-            -H "Accept: application/vnd.github.v3+json" \
-            "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.mergeable_state')
-
-          echo "PR mergeable_state: ${PR_STATE}"
-
-          if [ "${PR_STATE}" = "clean" ] || [ "${PR_STATE}" = "unstable" ] || [ "${PR_STATE}" = "has_hooks" ]; then
-            echo "All required status checks passed."
-          elif [ "${PR_STATE}" = "blocked" ]; then
-            echo "PR is blocked (required checks not passing)."
-            exit 1
-          elif [ "${PR_STATE}" = "dirty" ]; then
-            echo "PR has merge conflicts. Cannot auto-merge."
-            exit 1
-          elif [ "${PR_STATE}" = "behind" ]; then
-            echo "PR is behind base branch. Cannot auto-merge."
-            exit 1
-          else
-            echo "PR state is '${PR_STATE}' — waiting for checks to complete."
-            exit 1
-          fi
-
-      - name: Generate CTO app installation token
-        if: steps.check.outputs.approved == 'true'
-        id: cto-token
-        run: |
-          echo "Generating CTO app installation token for merge..."
-
-          CTO_PEM_FILE=$(mktemp)
-          printf '%s' "${{ secrets.CTO_APP_PEM }}" > "$CTO_PEM_FILE"
-          chmod 600 "$CTO_PEM_FILE"
-
-          b64enc() { openssl enc -base64 -A | tr '+/' '-_' | tr -d '='; }
-
-          NOW=$(date +%s)
-          HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | jq -r -c .)
-          PAYLOAD=$(printf '{"iat":%s,"exp":%s,"iss":"%s"}' "$NOW" "$((NOW + 600))" "${{ vars.CTO_APP_ID }}" | jq -r -c .)
-          SIGNED=$(printf '%s' "$HEADER" | b64enc).$(printf '%s' "$PAYLOAD" | b64enc)
-          SIG=$(printf '%s' "$SIGNED" | openssl dgst -sha256 -sign "$CTO_PEM_FILE" | b64enc)
-          JWT="${SIGNED}.${SIG}"
-
-          rm -f "$CTO_PEM_FILE"
-
-          CTO_TOKEN=$(curl -s -X POST \
-            -H "Authorization: Bearer ${JWT}" \
-            -H "Accept: application/vnd.github+json" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            "https://api.github.com/app/installations/${{ vars.CTO_APP_INSTALLATION_ID }}/access_tokens" \
-            | jq -r '.token')
-
-          echo "cto_token=${CTO_TOKEN}" >> "$GITHUB_OUTPUT"
-
-      - name: Install GitHub CLI
-        if: steps.check.outputs.approved == 'true'
-        run: |
-          if ! command -v gh &>/dev/null; then
-            GH_VERSION="2.74.0"
-            curl -fsSL "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VERSION}_linux_amd64.tar.gz" -o /tmp/gh.tar.gz
-            tar -xzf /tmp/gh.tar.gz -C /tmp
-            mkdir -p "$HOME/.local/bin"
-            mv "/tmp/gh_${GH_VERSION}_linux_amd64/bin/gh" "$HOME/.local/bin/gh"
-            rm -rf /tmp/gh.tar.gz "/tmp/gh_${GH_VERSION}_linux_amd64"
-            echo "$HOME/.local/bin" >> "$GITHUB_PATH"
-            "$HOME/.local/bin/gh" --version
-          fi
-
-      - name: Enable auto-merge
-        if: steps.check.outputs.approved == 'true'
-        env:
-          GH_TOKEN: ${{ steps.cto-token.outputs.cto_token }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        run: |
-          echo "Enabling auto-merge for PR #${PR_NUMBER}"
-          if ! "$HOME/.local/bin/gh" pr merge "${PR_NUMBER}" --auto --squash --delete-branch 2>&1; then
-            echo "::warning::Auto-merge not available. Falling back to direct squash merge."
-            "$HOME/.local/bin/gh" pr merge "${PR_NUMBER}" --squash --delete-branch
-          else
-            echo "Auto-merge enabled successfully."
-          fi
-