Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 9 additions & 20 deletions .github/workflows/auto-merge.yml
Original file line number Diff line number Diff line change
@@ -1,28 +1,17 @@
# Auto-merge — native GitHub auto-merge via GITHUB_TOKEN. No custom App, no
# AUTOMERGE_* secrets, no reusable workflow.
# Auto-merge — enables GitHub native auto-merge (squash) via GITHUB_TOKEN.
#
# Synced from github-settings-automation/templates/auto-merge.yml by the
# weekly enforce-repo-settings sweep. Do not hand-edit per-repo.
#
# This file is per-repo and event-driven. It enables native GitHub auto-merge
# only for trusted automation branches (claude/, copilot/). There is no central
# PR-heal cron in the merge path, and no review-bot (CodeRabbit etc.) approval
# ever triggers a merge.
# Event-driven and per-repo: enables native auto-merge only for trusted
# automation branches (prefix policy below). Renovate PRs don't need this
# workflow — the shared preset (github>ANcpLua/github-settings-automation)
# sets `platformAutomerge: true`.
#
# Renovate bot PRs do not need this workflow: Renovate enables native
# auto-merge itself via `platformAutomerge: true` in the shared preset
# (github>ANcpLua/github-settings-automation — default.json preset, merged
# from the archived ANcpLua/renovate-config repo on 2026-05-25).
#
# Prereqs (one-time per repo): Settings → General → "Allow auto-merge"
# enabled. Branch protection on `main` lists the required status checks;
# native auto-merge waits for them. enforce-repo-settings.yml flips
# allow_auto_merge automatically across the fleet.
#
# Background: the AUTOMERGE_APP_ID GitHub App was deleted on 2026-05-12
# as an antipattern (single point of failure across N repos, maintenance
# overhead, and Renovate's platformAutomerge already does the bot tier
# natively without it).
# Prereqs (one-time per repo): "Allow auto-merge" enabled in repo settings,
# and branch protection on `main` listing the required status checks native
# auto-merge waits for. enforce-repo-settings.yml flips allow_auto_merge
# automatically across the fleet.
#
# Branch-prefix policy:
# - claude/ — Claude Code agents
Expand Down
21 changes: 8 additions & 13 deletions .github/workflows/enforce-repo-settings.yml
Original file line number Diff line number Diff line change
Expand Up @@ -120,14 +120,11 @@ jobs:
|| echo "::warning::sync-branch-protection.sh exited non-zero for $repo"
done < targets.txt

# Sync the canonical nuget-publish.yml workflow + NUGET_USER
# secret into repos opted-in via scripts/drift-policy.yaml's
# `nuget_publishers:` list. Eliminates per-repo authoring of
# publish workflows. Each publisher gets the same tag-triggered
# OIDC trusted-publishing pipeline; future bumps to action SHAs
# or auth shape land once and propagate. NUGET_USER is the
# nuget.org username (e.g. ANcpLua) used by NuGet/login@v1 during
# the OIDC token exchange. See scripts/sync-nuget-publish.sh +
# Sync the canonical nuget-publish.yml workflow + NUGET_USER secret
# into repos opted-in via scripts/drift-policy.yaml's
# `nuget_publishers:` list. NUGET_USER is the nuget.org username
# (e.g. ANcpLua) used by NuGet/login@v1 during the OIDC token
# exchange. See scripts/sync-nuget-publish.sh +
# scripts/sync-nuget-secret.sh.
- name: Sync nuget-publish.yml + NUGET_USER (opted-in repos)
env:
Expand All @@ -154,11 +151,9 @@ jobs:
done < nuget-targets.txt
fi

# Sync auto-merge.yml. This REPLACES — the bug we fix here (the
# now-removed owner-clause that caused PR#170 to merge prematurely) lives
# in the existing per-repo files and must be overwritten. Skip repos
# that don't already have an auto-merge.yml: we don't push the
# workflow into repos that opted out.
# Sync auto-merge.yml. Drifted per-repo copies are REPLACED with the
# canonical template. Repos without an auto-merge.yml are skipped —
# the sweep never seeds the workflow into repos that opted out.
- name: Sync auto-merge.yml (replace if drifted from template)
env:
GH_TOKEN: ${{ secrets.REPO_SETTINGS_PAT_USER }}
Expand Down
12 changes: 1 addition & 11 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,19 +47,9 @@ they are wanted per-repo review tuning and are never touched by cleanup.
| `enforce-repo-settings.yml` | weekly cron (Mon 17:00 UTC) + dispatch | Targets repos carrying `qyl` or `ancplua-fleet` in `topic` mode. Enables `delete_branch_on_merge` and `allow_auto_merge`; removes retired Codacy/triage-bot/coderabbit-autofix files; syncs branch-protection overrides; syncs opted-in NuGet publishing; and syncs `auto-merge.yml` where already present. |
| `drift-check.yml` | weekly cron (Mon 06:00 UTC) + dispatch | Runs the semantic drift detector over the watchlist in `scripts/drift-policy.yaml` and opens or updates a `config-drift` issue when drift is found. |

The removed cron lanes were:

- `codex-review.yml`: posted review requests across the fleet every 15 minutes.
- `pr-heal.yml`: scanned for stuck PRs every 15 minutes and posted repair
handoff prompts.

Those files were deleted because they duplicated CodeRabbit, created comment
noise, and kept a manual handoff model alive.

## Auto-Merge Posture

No third-party auto-merge App and no destructive merge workflow. The fleet
relies on:
The fleet relies on:

- GitHub native auto-merge, enabled by `enforce-repo-settings.yml`.
- Renovate `platformAutomerge: true` for dependency PRs that the shared preset
Expand Down
3 changes: 1 addition & 2 deletions scripts/remove-retired-review-automation.sh
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
#!/usr/bin/env bash
# Remove retired reviewer automation from one target repository.
#
# Retired = Codacy + the old triage-bot + the coderabbit-autofix WORKFLOW
# (auto-commenting at reviewer bots is retired automation, 2026-06-11).
# Retired = Codacy, triage-bot, and the coderabbit-autofix workflow.
# Per-repo `.coderabbit.yaml` CONFIG files are NOT retired — they are wanted
# per-repo review tuning and must survive fleet sweeps. Never add
# .coderabbit.yaml (or any config path) to the kill list.
Expand Down
8 changes: 3 additions & 5 deletions scripts/sync-branch-protection.sh
Original file line number Diff line number Diff line change
@@ -1,11 +1,9 @@
#!/usr/bin/env bash
# Sync canonical branch-protection overrides onto one repo's default branch.
#
# Why this exists: PR #174 on ANcpLua/ANcpLua.Analyzers was blocked by
# `required_conversation_resolution: true` after a reviewer integration was
# removed (orphaned bot review threads, no way to resolve). The canonical
# policy forces that field to `false` so no future bot-uninstall locks the
# fleet out the same way. The sync engine OWNS that field going forward.
# The canonical policy forces `required_conversation_resolution: false` so
# a removed bot reviewer's orphaned review threads can never block merging.
# The sync engine owns every key present in the policy file.
#
# Algorithm:
# 1. GET current protection. If branch has none (404), skip — the sync
Expand Down
5 changes: 2 additions & 3 deletions scripts/sync-nuget-secret.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,8 @@
# g-s-a, every fleet publisher inherits it on the next sync sweep.
#
# NUGET_USER (the nuget.org username, e.g. `ANcpLua`) is what
# `NuGet/login@v1` uses during OIDC trusted-publishing token exchange.
# It replaces the legacy NUGET_API_KEY pattern (rotation no longer
# needed — keys are minted per-workflow-run via OIDC).
# `NuGet/login@v1` uses during OIDC trusted-publishing token exchange;
# no static API key secret is needed.
#
# Skips silently if NUGET_USER env var is empty (caller decides whether
# that's an error — useful for dry-runs).
Expand Down
29 changes: 9 additions & 20 deletions templates/auto-merge.yml
Original file line number Diff line number Diff line change
@@ -1,28 +1,17 @@
# Auto-merge — native GitHub auto-merge via GITHUB_TOKEN. No custom App, no
# AUTOMERGE_* secrets, no reusable workflow.
# Auto-merge — enables GitHub native auto-merge (squash) via GITHUB_TOKEN.
#
# Synced from github-settings-automation/templates/auto-merge.yml by the
# weekly enforce-repo-settings sweep. Do not hand-edit per-repo.
#
# This file is per-repo and event-driven. It enables native GitHub auto-merge
# only for trusted automation branches (claude/, copilot/). There is no central
# PR-heal cron in the merge path, and no review-bot (CodeRabbit etc.) approval
# ever triggers a merge.
# Event-driven and per-repo: enables native auto-merge only for trusted
# automation branches (prefix policy below). Renovate PRs don't need this
# workflow — the shared preset (github>ANcpLua/github-settings-automation)
# sets `platformAutomerge: true`.
#
# Renovate bot PRs do not need this workflow: Renovate enables native
# auto-merge itself via `platformAutomerge: true` in the shared preset
# (github>ANcpLua/github-settings-automation — default.json preset, merged
# from the archived ANcpLua/renovate-config repo on 2026-05-25).
#
# Prereqs (one-time per repo): Settings → General → "Allow auto-merge"
# enabled. Branch protection on `main` lists the required status checks;
# native auto-merge waits for them. enforce-repo-settings.yml flips
# allow_auto_merge automatically across the fleet.
#
# Background: the AUTOMERGE_APP_ID GitHub App was deleted on 2026-05-12
# as an antipattern (single point of failure across N repos, maintenance
# overhead, and Renovate's platformAutomerge already does the bot tier
# natively without it).
# Prereqs (one-time per repo): "Allow auto-merge" enabled in repo settings,
# and branch protection on `main` listing the required status checks native
# auto-merge waits for. enforce-repo-settings.yml flips allow_auto_merge
# automatically across the fleet.
#
# Branch-prefix policy:
# - claude/ — Claude Code agents
Expand Down
2 changes: 1 addition & 1 deletion templates/branch-protection.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"_comment": "Canonical branch-protection overrides applied to every fleet repo's default branch by scripts/sync-branch-protection.sh (called from .github/workflows/enforce-repo-settings.yml). Only keys present here are FORCED; everything else (CI checks, review requirements, restrictions) is preserved per-repo. To extend: add a key here, the sync engine picks it up on the next run.",
"_why_each_key": {
"required_conversation_resolution": "PR #174 on ANcpLua/ANcpLua.Analyzers (2026-05-25) was blocked by orphaned bot review threads after a reviewer integration was removed. With conv_resolution=true, any removed bot reviewer can lock the fleet out of merging until each thread is manually resolved. Forcing this to false moves the gate to sturdier mechanisms (CI checks + required reviews when present) that do not depend on per-thread state managed by a reviewer that may no longer exist.",
"required_conversation_resolution": "Forced false: orphaned review threads from a removed bot reviewer add a manual per-thread gate; the merge gate stays with CI checks and required reviews instead of per-thread state.",
"allow_force_pushes": "Universal: history loss prevention.",
"allow_deletions": "Universal: branch protection should imply existence protection.",
"lock_branch": "Default off — only set true when explicitly archiving a branch."
Expand Down
12 changes: 2 additions & 10 deletions templates/nuget-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,16 +33,8 @@
# - To deliberately diverge from canonical in one specific repo, add a
# line `# CANONICAL-DEPARTURE: <reason>` at the top of the consumer
# repo's copy. The sync script honors that marker and won't overwrite.
# - Reasons for departure: needs Authenticode signing, multi-stage
# release pipeline, custom PackageId override (e.g. AL's `Dummy`
# trick — to be migrated separately).
#
# Why this is canonical and not per-repo:
# - Eliminates the failure mode where QYL was missing nuget-publish.yml
# entirely (PRD assumed it existed; tag-push was a silent no-op).
# - Future bumps to action majors / NuGet protocol / GitHub Packages auth
# land in ONE place and propagate to every publishable repo on the
# next sync sweep.
# - Valid reasons for departure: Authenticode signing, multi-stage
# release pipeline, custom PackageId override.

name: Publish to NuGet

Expand Down