feat(38-01): review-bot auto-merge mechanism (classifier + workflow)#17
Open
OgeonX-Ai wants to merge 2 commits into
Open
feat(38-01): review-bot auto-merge mechanism (classifier + workflow)#17OgeonX-Ai wants to merge 2 commits into
OgeonX-Ai wants to merge 2 commits into
Conversation
- classify-automerge-eligibility.ps1: IN-CLASS iff dependabot-manifest-only OR docs-only; workflow/executable denylist applies to ALL authors including dependabot (checker blocker #2 regression fixture covered) - decision derives from gh pr view changed paths + author only, never labels/title - auto-merge-eligibility.yml wires the classifier as a required status check (context: automerge-eligibility) on pull_request events - -SelfTest covers 5 table-driven fixtures: pure-docs, docs+workflow-file, dependabot-manifest-only, dependabot+workflow-file (regression), mixed
- pull_request_target trigger; mints a cas-review-bot App installation token via actions/create-github-app-token (pinned SHA bcd2ba4, v3.2.0) - gate 1: eligibility classifier -- OUT-OF-CLASS stops before any approval - gate 2: checks out autogen at pinned commit b0524b7 (verified on origin/main via PR #17; never feat/phase-29-peer-critic) and runs critic_cli --severity-gate blocking against the PR diff; non-zero exit requests changes instead of approving - gate 3: gh pr checks --required must be green - only when all three gates pass: gh pr review --approve as the App token, then gh pr merge --auto --squash -- the App is the sole approving identity, never GITHUB_TOKEN or an agent PAT
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Open
4 tasks
Comment on lines
+59
to
+68
| - name: Compute PR diff (base...head) | ||
| id: diff | ||
| if: steps.classify.outputs.eligible == 'true' | ||
| run: | | ||
| set -euo pipefail | ||
| git fetch origin "${{ github.event.pull_request.base.ref }}" --depth=100 | ||
| git fetch origin "pull/${{ github.event.pull_request.number }}/head:pr-head" --depth=100 | ||
| git diff "origin/${{ github.event.pull_request.base.ref }}...pr-head" > "${{ github.workspace }}/pr.diff" | ||
|
|
||
| - name: Checkout autogen (pinned commit, for critic_cli) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the review-bot mechanism for REQ-1.5.1 (Phase 38-01):
classify-automerge-eligibility.ps1: fail-closed diff classifier. IN-CLASS iff (dependabot[bot] author AND every changed path is a dependency-manifest file) OR (every changed path matches the docs allowlist). The workflow/executable denylist applies to ALL authors including dependabot ---SelfTestcarries the blocker-docs: establish enterprise organization governance #2 regression fixture (dependabot-with-workflow-file-> OUT-OF-CLASS).auto-merge-eligibility.yml: wires the classifier as the required status checkautomerge-eligibilityon every PR.review-bot.yml: mints acas-review-botApp installation token, then gates approval on three fail-closed checks in sequence -- classifier IN-CLASS, autogencritic_cli(pinned toorigin/maincommitb0524b7, PR feat(38-01): review-bot auto-merge mechanism (classifier + workflow) #17 -- never the closedfeat/phase-29-peer-criticbranch) reporting 0 blocking findings, and green required CI checks. Only then does the App (neverGITHUB_TOKEN, never an agent PAT) approve and enable squash auto-merge.Full design rationale, class boundary, and the honest trust model:
docs/merge-flow-policy.md(companion PR on the root repo).Remaining human step (cannot be automated by an agent)
This PR does not include the GitHub App itself -- App creation requires org owner action:
cas-review-bot(Pull requests: Read & Write, Contents: Read & Write, Checks: Read, Metadata: Read) and install it org-wide onCoding-Autopilot-System.REVIEW_BOT_APP_ID/REVIEW_BOT_PRIVATE_KEYas org Actions secrets.pwsh -File scripts/apply-branch-protection.ps1 -Repos org-dotgithub(root-repo script, companion PR).automerge-eligibilitygoes green,review-botapproves aftercritic_clipasses, auto-merge lands it with zero manual click. Then confirm a PR touching a.ps1/workflow file is held (OUT-OF-CLASS, not approved).Branch protection was not applied for real by this PR -- only
-DryRunevidence was captured; application is operator-gated.Test plan
pwsh -File .github/scripts/classify-automerge-eligibility.ps1 -SelfTest-- 5/5 fixtures pass, exit 0..ps1file (PS 5.1 hazard guard).🤖 Generated with Claude Code