Skip to content

docs: auto-merge reusable header — real merge gating + denylist as defense-in-depth #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
NWarila merged 1 commit into from
Jun 2, 2026
Merged

docs: auto-merge reusable header — real merge gating + denylist as defense-in-depth #27

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 16 additions & 10 deletions .github/workflows/reusable-auto-merge.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
name: Reusable Auto-Merge

# Enables GitHub auto-merge on pull requests authored by trusted bots once
# all required status checks pass. Branch protection on `main` is what
# defines the actual gate; this workflow only flips the auto-merge bit.
# Enables GitHub auto-merge on pull requests authored by trusted bots. The
# repo's branch-protection ruleset defines what GitHub waits on before
# completing the merge; this workflow only flips the auto-merge bit. NOTE:
# where a repo configures no required status checks (the current
# NWarila/nwarila-platform posture), auto-merge completes once the review
# requirements are met and does NOT wait for CI.
#
# Trusted authors:
# - renovate[bot]
Expand All @@ -26,14 +29,17 @@ name: Reusable Auto-Merge
#
# Why pull_request_target is safe here: authorization runs in a read-only job
# first, and the write-token job is skipped unless the PR author is trusted.
# The OPA policy also rejects checkout/PR-head references in this workflow and
# in pull_request_target callers so future edits cannot quietly add PR-content
# reads under the privileged token.
# That authorize/skip split is the load-bearing safeguard. As defense-in-depth,
# the OPA repo_hygiene policy also denies a denylist of known checkout/PR-head
# reference patterns in this workflow and in pull_request_target callers; that
# substring denylist is not an exhaustive guarantee, so it backstops rather than
# replaces the read-only-authorization design above.
#
# Auto-merge waits for the repo's branch protection required checks to pass
# before merging. If branch protection isn't configured, GitHub will not
# allow auto-merge to be enabled at all; `gh pr merge --auto` will fail
# loudly.
# Auto-merge waits for whatever the repo's branch-protection ruleset requires
# before merging. With no required status checks configured (current posture),
# that is the review requirements only, so it does not wait for CI. If a repo
# has no merge requirements at all, GitHub may refuse to enable auto-merge and
# `gh pr merge --auto` fails loudly.

on:
workflow_call:
Expand Down
Loading