fix(auto-merge): fail closed on trusted-bot review gates#553
Conversation
The privileged workflow approved and armed trusted-bot PRs immediately, so a bot PR could merge on green CI alone with no current-head review or pre-merge result (live case ksail#6058). A fail-closed gate script now proves both surfaces at the exact current head before the approve/arm steps run; anything missing, stale, mixed, superseded, or unparseable skips arming and leaves the PR to the maintenance agent's live check. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@codex review |
Code Coverage OverviewLanguages: Go, C# Go / code-coverage/testThe overall coverage remains at 50%, unchanged from the branch. C# / code-coverage/dotnetThe overall coverage remains at 100%, unchanged from the branch. Updated |
✅MegaLinter analysis: Success
Notices📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining See detailed reports in MegaLinter artifacts Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 17851dc981
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
@codex review (Re-firing — the earlier request hit the Codex usage limit, which has since lifted.) |
devantler
left a comment
There was a problem hiding this comment.
Bot PRs do not need a review before merge, so I think this change is wrong. Bots mostly bump dependencies or create release artifact prs etc. All of which is trusted procedures which would be a waste to use reviews on.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 17851dc981
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Addresses the six review findings on the pentad gate: - checkout the gate script from the workflow-defining repository so required-workflow/workflow_call consumers do not run it from the caller's workspace (where it does not exist) - re-evaluate on pull_request_review and issue_comment events so review results that land after the pull_request events can still arm the PR, with live open/non-draft eligibility re-proven per event shape - take CodeRabbit's LATEST verdict at the head instead of any APPROVED, so a superseding CHANGES_REQUESTED or dismissal blocks arming and Codex cannot override an explicit head verdict - reject warning marks in the full pre-merge shape like the compact one - select the pre-merge summary by updated_at (CodeRabbit edits it in place) and require it not to predate the head commit - bind approval (commit_id) and arming (--match-head-commit) to the gate-proven head so a racing push invalidates both Five new fixtures pin the behaviors (18 total).
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a0a6357306
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…sarm Addresses the second review round: - default-off enforcement (enforce-review-gates input / ENFORCE_MERGE_GATES variable) per the feature-flag-first rule, so consumers keep pre-gate bot auto-merge until the flag is flipped after validation - gate script checked out via job.workflow_repository/job.workflow_sha (the repo's same-commit self-checkout idiom) — correct in workflow_call, where github.workflow_ref names the CALLER, and never a PR-controlled ref - any CodeRabbit verdict re-evaluates (not only approvals) and a gate that turned red actively disarms a previously armed PR - caller-side trigger requirement documented (a reusable workflow cannot schedule its callers)
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e469f87bb4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
…floor A dismissed CodeRabbit approval emits pull_request_review 'dismissed', which the workflow did not subscribe to, so a previously-armed PR kept auto-merge enabled until an unrelated event fired. And the pre-merge freshness floor came from the head commit's committer date, which a push of a previously-created commit object predates — the floor now uses the earliest check-suite created_at for the head SHA (when GitHub first saw it), falling back to committer date only when no suite exists.
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fabd7c9ae9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4f4e794676
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
Codex Review: Didn't find any major issues. What shall we delve into next? Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
@coderabbitai review Falling back after the current-head Codex request produced no artifact for 15 minutes. The prior CodeRabbit cooldown has elapsed; please evaluate final head 9584038. |
|
✅ Action performedReview finished.
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 9584038d8c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Why
The shared auto-merge workflow armed trusted-bot PRs as soon as they opened, so a bot PR could merge on green CI alone with no current-head review or CodeRabbit pre-merge result (live case: ksail#6058). That contradicts the portfolio pentad gate.
GitHub can bind an approval or merge request to a head SHA, but it cannot atomically bind mutable review and pre-merge evidence to the auto-merge call. A final evidence snapshot would still leave a fail-open race.
What
✅ 5section.Rollout: enforcement remains default-off behind the
enforce-review-gatesinput /ENFORCE_MERGE_GATESvariable. Callers that opt in add the documented submitted/edited/dismissed review and created/edited/deleted comment triggers.Validation
bash -ngit diff --checkactionlintmatches the untouched baseline's two knownjob.workflow_*parser limitationszizmorcrashes identically on the untouched baseline; CI remains authoritativeFixes #548