diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index c531ebe..29b908d 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -1,28 +1,17 @@ -# Auto-merge — native GitHub auto-merge via GITHUB_TOKEN. No custom App, no -# AUTOMERGE_* secrets, no reusable workflow. +# Auto-merge — enables GitHub native auto-merge (squash) via GITHUB_TOKEN. # # Synced from github-settings-automation/templates/auto-merge.yml by the # weekly enforce-repo-settings sweep. Do not hand-edit per-repo. # -# This file is per-repo and event-driven. It enables native GitHub auto-merge -# only for trusted automation branches (claude/, copilot/). There is no central -# PR-heal cron in the merge path, and no review-bot (CodeRabbit etc.) approval -# ever triggers a merge. +# Event-driven and per-repo: enables native auto-merge only for trusted +# automation branches (prefix policy below). Renovate PRs don't need this +# workflow — the shared preset (github>ANcpLua/github-settings-automation) +# sets `platformAutomerge: true`. # -# Renovate bot PRs do not need this workflow: Renovate enables native -# auto-merge itself via `platformAutomerge: true` in the shared preset -# (github>ANcpLua/github-settings-automation — default.json preset, merged -# from the archived ANcpLua/renovate-config repo on 2026-05-25). -# -# Prereqs (one-time per repo): Settings → General → "Allow auto-merge" -# enabled. Branch protection on `main` lists the required status checks; -# native auto-merge waits for them. enforce-repo-settings.yml flips -# allow_auto_merge automatically across the fleet. -# -# Background: the AUTOMERGE_APP_ID GitHub App was deleted on 2026-05-12 -# as an antipattern (single point of failure across N repos, maintenance -# overhead, and Renovate's platformAutomerge already does the bot tier -# natively without it). +# Prereqs (one-time per repo): "Allow auto-merge" enabled in repo settings, +# and branch protection on `main` listing the required status checks native +# auto-merge waits for. enforce-repo-settings.yml flips allow_auto_merge +# automatically across the fleet. # # Branch-prefix policy: # - claude/ — Claude Code agents diff --git a/.github/workflows/enforce-repo-settings.yml b/.github/workflows/enforce-repo-settings.yml index d63a6ce..e4471ed 100644 --- a/.github/workflows/enforce-repo-settings.yml +++ b/.github/workflows/enforce-repo-settings.yml @@ -120,14 +120,11 @@ jobs: || echo "::warning::sync-branch-protection.sh exited non-zero for $repo" done < targets.txt - # Sync the canonical nuget-publish.yml workflow + NUGET_USER - # secret into repos opted-in via scripts/drift-policy.yaml's - # `nuget_publishers:` list. Eliminates per-repo authoring of - # publish workflows. Each publisher gets the same tag-triggered - # OIDC trusted-publishing pipeline; future bumps to action SHAs - # or auth shape land once and propagate. NUGET_USER is the - # nuget.org username (e.g. ANcpLua) used by NuGet/login@v1 during - # the OIDC token exchange. See scripts/sync-nuget-publish.sh + + # Sync the canonical nuget-publish.yml workflow + NUGET_USER secret + # into repos opted-in via scripts/drift-policy.yaml's + # `nuget_publishers:` list. NUGET_USER is the nuget.org username + # (e.g. ANcpLua) used by NuGet/login@v1 during the OIDC token + # exchange. See scripts/sync-nuget-publish.sh + # scripts/sync-nuget-secret.sh. - name: Sync nuget-publish.yml + NUGET_USER (opted-in repos) env: @@ -154,11 +151,9 @@ jobs: done < nuget-targets.txt fi - # Sync auto-merge.yml. This REPLACES — the bug we fix here (the - # now-removed owner-clause that caused PR#170 to merge prematurely) lives - # in the existing per-repo files and must be overwritten. Skip repos - # that don't already have an auto-merge.yml: we don't push the - # workflow into repos that opted out. + # Sync auto-merge.yml. Drifted per-repo copies are REPLACED with the + # canonical template. Repos without an auto-merge.yml are skipped — + # the sweep never seeds the workflow into repos that opted out. - name: Sync auto-merge.yml (replace if drifted from template) env: GH_TOKEN: ${{ secrets.REPO_SETTINGS_PAT_USER }} diff --git a/README.md b/README.md index b6937d8..bce2cc9 100644 --- a/README.md +++ b/README.md @@ -47,19 +47,9 @@ they are wanted per-repo review tuning and are never touched by cleanup. | `enforce-repo-settings.yml` | weekly cron (Mon 17:00 UTC) + dispatch | Targets repos carrying `qyl` or `ancplua-fleet` in `topic` mode. Enables `delete_branch_on_merge` and `allow_auto_merge`; removes retired Codacy/triage-bot/coderabbit-autofix files; syncs branch-protection overrides; syncs opted-in NuGet publishing; and syncs `auto-merge.yml` where already present. | | `drift-check.yml` | weekly cron (Mon 06:00 UTC) + dispatch | Runs the semantic drift detector over the watchlist in `scripts/drift-policy.yaml` and opens or updates a `config-drift` issue when drift is found. | -The removed cron lanes were: - -- `codex-review.yml`: posted review requests across the fleet every 15 minutes. -- `pr-heal.yml`: scanned for stuck PRs every 15 minutes and posted repair - handoff prompts. - -Those files were deleted because they duplicated CodeRabbit, created comment -noise, and kept a manual handoff model alive. - ## Auto-Merge Posture -No third-party auto-merge App and no destructive merge workflow. The fleet -relies on: +The fleet relies on: - GitHub native auto-merge, enabled by `enforce-repo-settings.yml`. - Renovate `platformAutomerge: true` for dependency PRs that the shared preset diff --git a/scripts/remove-retired-review-automation.sh b/scripts/remove-retired-review-automation.sh index 70bd840..492b64e 100755 --- a/scripts/remove-retired-review-automation.sh +++ b/scripts/remove-retired-review-automation.sh @@ -1,8 +1,7 @@ #!/usr/bin/env bash # Remove retired reviewer automation from one target repository. # -# Retired = Codacy + the old triage-bot + the coderabbit-autofix WORKFLOW -# (auto-commenting at reviewer bots is retired automation, 2026-06-11). +# Retired = Codacy, triage-bot, and the coderabbit-autofix workflow. # Per-repo `.coderabbit.yaml` CONFIG files are NOT retired — they are wanted # per-repo review tuning and must survive fleet sweeps. Never add # .coderabbit.yaml (or any config path) to the kill list. diff --git a/scripts/sync-branch-protection.sh b/scripts/sync-branch-protection.sh index 81b86b8..eea640f 100755 --- a/scripts/sync-branch-protection.sh +++ b/scripts/sync-branch-protection.sh @@ -1,11 +1,9 @@ #!/usr/bin/env bash # Sync canonical branch-protection overrides onto one repo's default branch. # -# Why this exists: PR #174 on ANcpLua/ANcpLua.Analyzers was blocked by -# `required_conversation_resolution: true` after a reviewer integration was -# removed (orphaned bot review threads, no way to resolve). The canonical -# policy forces that field to `false` so no future bot-uninstall locks the -# fleet out the same way. The sync engine OWNS that field going forward. +# The canonical policy forces `required_conversation_resolution: false` so +# a removed bot reviewer's orphaned review threads can never block merging. +# The sync engine owns every key present in the policy file. # # Algorithm: # 1. GET current protection. If branch has none (404), skip — the sync diff --git a/scripts/sync-nuget-secret.sh b/scripts/sync-nuget-secret.sh index 2686313..56edc57 100755 --- a/scripts/sync-nuget-secret.sh +++ b/scripts/sync-nuget-secret.sh @@ -4,9 +4,8 @@ # g-s-a, every fleet publisher inherits it on the next sync sweep. # # NUGET_USER (the nuget.org username, e.g. `ANcpLua`) is what -# `NuGet/login@v1` uses during OIDC trusted-publishing token exchange. -# It replaces the legacy NUGET_API_KEY pattern (rotation no longer -# needed — keys are minted per-workflow-run via OIDC). +# `NuGet/login@v1` uses during OIDC trusted-publishing token exchange; +# no static API key secret is needed. # # Skips silently if NUGET_USER env var is empty (caller decides whether # that's an error — useful for dry-runs). diff --git a/templates/auto-merge.yml b/templates/auto-merge.yml index c531ebe..29b908d 100644 --- a/templates/auto-merge.yml +++ b/templates/auto-merge.yml @@ -1,28 +1,17 @@ -# Auto-merge — native GitHub auto-merge via GITHUB_TOKEN. No custom App, no -# AUTOMERGE_* secrets, no reusable workflow. +# Auto-merge — enables GitHub native auto-merge (squash) via GITHUB_TOKEN. # # Synced from github-settings-automation/templates/auto-merge.yml by the # weekly enforce-repo-settings sweep. Do not hand-edit per-repo. # -# This file is per-repo and event-driven. It enables native GitHub auto-merge -# only for trusted automation branches (claude/, copilot/). There is no central -# PR-heal cron in the merge path, and no review-bot (CodeRabbit etc.) approval -# ever triggers a merge. +# Event-driven and per-repo: enables native auto-merge only for trusted +# automation branches (prefix policy below). Renovate PRs don't need this +# workflow — the shared preset (github>ANcpLua/github-settings-automation) +# sets `platformAutomerge: true`. # -# Renovate bot PRs do not need this workflow: Renovate enables native -# auto-merge itself via `platformAutomerge: true` in the shared preset -# (github>ANcpLua/github-settings-automation — default.json preset, merged -# from the archived ANcpLua/renovate-config repo on 2026-05-25). -# -# Prereqs (one-time per repo): Settings → General → "Allow auto-merge" -# enabled. Branch protection on `main` lists the required status checks; -# native auto-merge waits for them. enforce-repo-settings.yml flips -# allow_auto_merge automatically across the fleet. -# -# Background: the AUTOMERGE_APP_ID GitHub App was deleted on 2026-05-12 -# as an antipattern (single point of failure across N repos, maintenance -# overhead, and Renovate's platformAutomerge already does the bot tier -# natively without it). +# Prereqs (one-time per repo): "Allow auto-merge" enabled in repo settings, +# and branch protection on `main` listing the required status checks native +# auto-merge waits for. enforce-repo-settings.yml flips allow_auto_merge +# automatically across the fleet. # # Branch-prefix policy: # - claude/ — Claude Code agents diff --git a/templates/branch-protection.json b/templates/branch-protection.json index 8c99fdb..65e792e 100644 --- a/templates/branch-protection.json +++ b/templates/branch-protection.json @@ -1,7 +1,7 @@ { "_comment": "Canonical branch-protection overrides applied to every fleet repo's default branch by scripts/sync-branch-protection.sh (called from .github/workflows/enforce-repo-settings.yml). Only keys present here are FORCED; everything else (CI checks, review requirements, restrictions) is preserved per-repo. To extend: add a key here, the sync engine picks it up on the next run.", "_why_each_key": { - "required_conversation_resolution": "PR #174 on ANcpLua/ANcpLua.Analyzers (2026-05-25) was blocked by orphaned bot review threads after a reviewer integration was removed. With conv_resolution=true, any removed bot reviewer can lock the fleet out of merging until each thread is manually resolved. Forcing this to false moves the gate to sturdier mechanisms (CI checks + required reviews when present) that do not depend on per-thread state managed by a reviewer that may no longer exist.", + "required_conversation_resolution": "Forced false: orphaned review threads from a removed bot reviewer add a manual per-thread gate; the merge gate stays with CI checks and required reviews instead of per-thread state.", "allow_force_pushes": "Universal: history loss prevention.", "allow_deletions": "Universal: branch protection should imply existence protection.", "lock_branch": "Default off — only set true when explicitly archiving a branch." diff --git a/templates/nuget-publish.yml b/templates/nuget-publish.yml index 0b7dde0..37e2802 100644 --- a/templates/nuget-publish.yml +++ b/templates/nuget-publish.yml @@ -33,16 +33,8 @@ # - To deliberately diverge from canonical in one specific repo, add a # line `# CANONICAL-DEPARTURE: ` at the top of the consumer # repo's copy. The sync script honors that marker and won't overwrite. -# - Reasons for departure: needs Authenticode signing, multi-stage -# release pipeline, custom PackageId override (e.g. AL's `Dummy` -# trick — to be migrated separately). -# -# Why this is canonical and not per-repo: -# - Eliminates the failure mode where QYL was missing nuget-publish.yml -# entirely (PRD assumed it existed; tag-push was a silent no-op). -# - Future bumps to action majors / NuGet protocol / GitHub Packages auth -# land in ONE place and propagate to every publishable repo on the -# next sync sweep. +# - Valid reasons for departure: Authenticode signing, multi-stage +# release pipeline, custom PackageId override. name: Publish to NuGet