Skip to content

Feat/pr auto merge bot#500

Merged
plind-junior merged 5 commits into
testfrom
feat/pr-auto-merge-bot
Jul 16, 2026
Merged

Feat/pr auto merge bot#500
plind-junior merged 5 commits into
testfrom
feat/pr-auto-merge-bot

Conversation

@plind-junior

Copy link
Copy Markdown
Member

What changed

Why

What might break

VEP

Tests

  • make check passes locally (lint + mypy + pytest)
  • New / changed behaviour has a test
  • CHANGELOG.md updated under ## [Unreleased]

claude-verify only reports on auto-merge-labeled prs; requiring it as a
branch-protection check would block every normal unlabeled pr from
merging. the label flow still gates on it via the arm-needs-verify job
dependency in auto-merge.yml, so the veto holds without blocking manual
merges.
drop the author_association==OWNER guard so the owner can authorize a
contributor PR by labeling it, not just their own PRs. the trusted-labeler
check becomes the primary authorization gate and now strips the label if an
untrusted actor applies it, so a stray label cannot persist and bypass the
check on a later synchronize event.
a push to a labeled pr previously re-entered the pipeline on synchronize
without re-checking the labeler, so a contributor could get a benign
commit labeled and then push malicious code that verify would check out
and run with the anthropic key + write token (pull_request_target rce).

now synchronize only runs a deauthorize job that disables auto-merge,
removes the label, and comments — it never checks out head. verification
re-runs only on a fresh owner label. also scope permissions per job
(deny-all default; verify gets no contents:write since untrusted code
runs there) and pin verify to the labeled head sha.
learned from openclaw/openclaw's pr-merge tooling and applied the
transferable practices:

- pin every third-party action to a commit sha (checkout, setup-python,
  claude-code-action) so a moved tag cannot inject code.
- add a workflow-lint gate running zizmor (security) + actionlint
  (correctness) on every workflow change, openclaw's signature practice.
- annotate the deliberate pull_request_target / workflow_run triggers with
  justified `# zizmor: ignore[dangerous-triggers]` comments.
- set persist-credentials: false on the untrusted-head checkout in the
  verify job so contributor code cannot read the token from .git/config.
- add concurrency/supersede on auto-merge so a newer event cancels an
  in-flight run.
- .github/zizmor.yml disables the pin/permissions-migration audits repo-wide
  (same stance as openclaw) so the gate does not require migrating every
  older workflow at once; labeler + release get justified inline ignores.
…eset

- extract verify + arm into a reusable pr-verify.yml shared by the label
  path and the new slash-command path (avoids github label-recursion).
- #2 environment gate: the verify job runs behind a pr-verify environment
  with a required-reviewer rule, so untrusted head code and the api key are
  gated on the owner per-run approval. the key is passed explicitly to the
  handler, not inherited.
- #3 comment-command.yml: the owner authorizes a pr by commenting
  /auto-merge or /verify (owner-gated), as an alternative to the label.
- #1 setup_repo_guards.sh replaces setup_branch_protection.sh: creates a
  branch ruleset (pr + code-owner review + ci/trust-gate checks, org-admin
  bypass) plus the pr-verify environment and the labels.
- deauthorize-on-push now runs on every synchronize (unconditional disarm).
@plind-junior
plind-junior changed the base branch from main to test July 16, 2026 02:30
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@plind-junior, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 7 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d1edc898-b943-45ca-aa3c-618051cf57d9

📥 Commits

Reviewing files that changed from the base of the PR and between 3d9e62b and e661609.

📒 Files selected for processing (13)
  • .github/workflows/auto-merge.yml
  • .github/workflows/ci-label.yml
  • .github/workflows/comment-command.yml
  • .github/workflows/labeler.yml
  • .github/workflows/pr-verify.yml
  • .github/workflows/release.yml
  • .github/workflows/trust-gate.yml
  • .github/workflows/ui-screenshot-gate.yml
  • .github/workflows/workflow-lint.yml
  • .github/zizmor.yml
  • CHANGELOG.md
  • scripts/setup_branch_protection.sh
  • scripts/setup_repo_guards.sh
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/pr-auto-merge-bot

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added docs documentation, specs, examples, and repo guidance ci github actions and automation size: M 200-499 changed non-doc lines labels Jul 16, 2026
@plind-junior
plind-junior merged commit f168e25 into test Jul 16, 2026
15 of 18 checks passed
@github-actions github-actions Bot added the ci: passing ci is green label Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci: passing ci is green ci github actions and automation docs documentation, specs, examples, and repo guidance size: M 200-499 changed non-doc lines

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant