Skip to content

fix(auto-merge): fail closed on trusted-bot review gates#553

Merged
botantler-1[bot] merged 16 commits into
mainfrom
claude/auto-merge-pentad-gate
Jul 12, 2026
Merged

fix(auto-merge): fail closed on trusted-bot review gates#553
botantler-1[bot] merged 16 commits into
mainfrom
claude/auto-merge-pentad-gate

Conversation

@devantler

@devantler devantler commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Engineer

Why

The shared auto-merge workflow armed trusted-bot PRs as soon as they opened, so a bot PR could merge on green CI alone with no current-head review or CodeRabbit pre-merge result (live case: ksail#6058). That contradicts the portfolio pentad gate.

GitHub can bind an approval or merge request to a head SHA, but it cannot atomically bind mutable review and pre-merge evidence to the auto-merge call. A final evidence snapshot would still leave a fail-open race.

What

  • Adds a fail-closed, default-off gate that requires both a green current-head review (CodeRabbit or Codex) and a fresh green CodeRabbit pre-merge result before approval.
  • Treats missing, stale, edited, malformed, mixed, unknown, rate-limited, or unreadable evidence as red.
  • Selects the newest Codex result before parsing it and uniquely resolves abbreviated reviewed commit IDs through GitHub to the exact PR head.
  • Fetches reviews through paginated GraphQL and orders CodeRabbit evidence by the later of submission/edit time, including Bot-name normalization.
  • Rejects CodeRabbit rate-limit overlays even when they retain a prior ✅ 5 section.
  • Actively revokes both classic auto-merge and merge-queue state when gates are red or unreadable.
  • Uses the conservative enforced-mode fallback documented in fix(auto-merge): wait for current-head review and pre-merge gates #548: revoke stale arming before approval, approve only the gate-proven head, revoke again after approval, and leave final arming to the maintenance agent's live pentad check.
  • Preserves the legacy auto-arm path exactly while enforcement is off.

Rollout: enforcement remains default-off behind the enforce-review-gates input / ENFORCE_MERGE_GATES variable. Callers that opt in add the documented submitted/edited/dismissed review and created/edited/deleted comment triggers.

Validation

  • 36 table-driven pass/fail fixtures
  • ShellCheck and bash -n
  • yamllint, YAML/JSON parsing, and git diff --check
  • live paginated GraphQL review query and Bot-name normalization
  • live GitHub resolution of Codex's 10-character reviewed ID to the exact PR head
  • actionlint matches the untouched baseline's two known job.workflow_* parser limitations
  • local zizmor crashes identically on the untouched baseline; CI remains authoritative

Fixes #548

The privileged workflow approved and armed trusted-bot PRs immediately,
so a bot PR could merge on green CI alone with no current-head review or
pre-merge result (live case ksail#6058). A fail-closed gate script now
proves both surfaces at the exact current head before the approve/arm
steps run; anything missing, stale, mixed, superseded, or unparseable
skips arming and leaves the PR to the maintenance agent's live check.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Engineer

@codex review

@github-code-quality

github-code-quality Bot commented Jul 11, 2026

Copy link
Copy Markdown

Code Coverage Overview

Languages: Go, C#

Go / code-coverage/test

The overall coverage remains at 50%, unchanged from the branch.

C# / code-coverage/dotnet

The overall coverage remains at 100%, unchanged from the branch.


Updated July 12, 2026 13:25 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.

@github-actions

github-actions Bot commented Jul 11, 2026

Copy link
Copy Markdown

MegaLinter analysis: Success

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ COPYPASTE jscpd yes no no 0.41s
✅ GO revive 2 0 0 9.63s
✅ REPOSITORY betterleaks yes no no 0.58s
✅ REPOSITORY checkov yes no no 18.66s
✅ REPOSITORY gitleaks yes no no 0.11s
✅ REPOSITORY git_diff yes no no 0.03s
✅ REPOSITORY osv-scanner yes no no 0.58s
✅ REPOSITORY secretlint yes no no 0.98s
✅ REPOSITORY syft yes no no 2.33s
✅ REPOSITORY trivy yes no no 12.04s
✅ REPOSITORY trivy-sbom yes no no 0.13s
✅ REPOSITORY trufflehog yes no no 4.9s

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

  • Documentation: Custom Flavors
  • Command: npx mega-linter-runner@9.6.0 --custom-flavor-setup --custom-flavor-linters COPYPASTE_JSCPD,GO_REVIVE,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_BETTERLEAKS,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 17851dc981

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/enable-auto-merge.yaml Outdated
Comment thread .scripts/check-merge-gates.sh Outdated
Comment thread .github/workflows/enable-auto-merge.yaml Outdated
Comment thread .scripts/check-merge-gates.sh Outdated
Comment thread .scripts/check-merge-gates.sh Outdated
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Engineer

@codex review

(Re-firing — the earlier request hit the Codex usage limit, which has since lifted.)

@devantler devantler left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bot PRs do not need a review before merge, so I think this change is wrong. Bots mostly bump dependencies or create release artifact prs etc. All of which is trusted procedures which would be a waste to use reviews on.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 17851dc981

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/enable-auto-merge.yaml Outdated
Comment thread .scripts/check-merge-gates.sh Outdated
Comment thread .scripts/check-merge-gates.sh Outdated
Comment thread .github/workflows/enable-auto-merge.yaml
Comment thread .github/workflows/enable-auto-merge.yaml
Comment thread .scripts/check-merge-gates.sh Outdated
Addresses the six review findings on the pentad gate:
- checkout the gate script from the workflow-defining repository so
  required-workflow/workflow_call consumers do not run it from the
  caller's workspace (where it does not exist)
- re-evaluate on pull_request_review and issue_comment events so review
  results that land after the pull_request events can still arm the PR,
  with live open/non-draft eligibility re-proven per event shape
- take CodeRabbit's LATEST verdict at the head instead of any APPROVED,
  so a superseding CHANGES_REQUESTED or dismissal blocks arming and Codex
  cannot override an explicit head verdict
- reject warning marks in the full pre-merge shape like the compact one
- select the pre-merge summary by updated_at (CodeRabbit edits it in
  place) and require it not to predate the head commit
- bind approval (commit_id) and arming (--match-head-commit) to the
  gate-proven head so a racing push invalidates both
Five new fixtures pin the behaviors (18 total).
Comment thread .github/workflows/enable-auto-merge.yaml Fixed
Comment thread .github/workflows/enable-auto-merge.yaml Fixed
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Engineer

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a0a6357306

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/enable-auto-merge.yaml Outdated
Comment thread .github/workflows/enable-auto-merge.yaml
Comment thread .github/workflows/enable-auto-merge.yaml Outdated
Comment thread .github/workflows/enable-auto-merge.yaml Outdated
…sarm

Addresses the second review round:
- default-off enforcement (enforce-review-gates input / ENFORCE_MERGE_GATES
  variable) per the feature-flag-first rule, so consumers keep pre-gate bot
  auto-merge until the flag is flipped after validation
- gate script checked out via job.workflow_repository/job.workflow_sha (the
  repo's same-commit self-checkout idiom) — correct in workflow_call, where
  github.workflow_ref names the CALLER, and never a PR-controlled ref
- any CodeRabbit verdict re-evaluates (not only approvals) and a gate that
  turned red actively disarms a previously armed PR
- caller-side trigger requirement documented (a reusable workflow cannot
  schedule its callers)
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Engineer

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e469f87bb4

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/enable-auto-merge.yaml Outdated
Comment thread .scripts/check-merge-gates.sh Outdated
…floor

A dismissed CodeRabbit approval emits pull_request_review 'dismissed',
which the workflow did not subscribe to, so a previously-armed PR kept
auto-merge enabled until an unrelated event fired. And the pre-merge
freshness floor came from the head commit's committer date, which a push
of a previously-created commit object predates — the floor now uses the
earliest check-suite created_at for the head SHA (when GitHub first saw
it), falling back to committer date only when no suite exists.
@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Engineer

@codex review

@devantler

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Engineer

Re-requesting — the 02:47Z review request produced no output (silent drop). Head is fabd7c9 (P1+P2 fixes: pull_request_review dismissed-disarm + premerge freshness floor).

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fabd7c9ae9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/enable-auto-merge.yaml Outdated
Comment thread README.md Outdated
Comment thread .github/workflows/enable-auto-merge.yaml Outdated
Comment thread .github/workflows/enable-auto-merge.yaml Outdated

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Engineer

@codex review for the exact-head SHA resolution fix at 4f4e794

Falling back because the CodeRabbit re-review was explicitly rate-limited for 42 minutes.

@devantler
devantler marked this pull request as ready for review July 12, 2026 12:55

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Engineer

@codex review for the rate-limit fail-closed fix at 2a4c8c3

CodeRabbit remains unavailable until roughly 13:36Z.

@botantler-1
botantler-1 Bot enabled auto-merge (squash) July 12, 2026 13:12

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4f4e794676

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .scripts/check-merge-gates.sh Outdated
Comment thread .scripts/check-merge-gates.sh Outdated
@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. What shall we delve into next?

Reviewed commit: 2a4c8c3dcd

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Engineer

@codex review for the review-recency fixes at 9584038

CodeRabbit remains rate-limited until roughly 13:36Z.

@botantler-1
botantler-1 Bot merged commit 51ae69c into main Jul 12, 2026
112 checks passed
@botantler-1
botantler-1 Bot deleted the claude/auto-merge-pentad-gate branch July 12, 2026 13:28
@github-project-automation github-project-automation Bot moved this from 🫴 Ready to ✅ Done in 🌊 Project Board Jul 12, 2026

Copy link
Copy Markdown
Contributor Author

🤖 Generated by the Daily AI Engineer

@coderabbitai review

Falling back after the current-head Codex request produced no artifact for 15 minutes. The prior CodeRabbit cooldown has elapsed; please evaluate final head 9584038.

@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown

@devantler I'll review the current head (9584038) now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9584038d8c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .scripts/check-merge-gates.sh
Comment thread .scripts/disarm-auto-merge.sh
Comment thread .scripts/check-merge-gates.sh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

fix(auto-merge): wait for current-head review and pre-merge gates

2 participants