feat: vault PRs should auto-merge after approval #170

New issue

Closed

opened 2026-04-03 06:17:16 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-03 06:17:16 +00:00

Collaborator

Problem

Vault PRs on the ops repo currently require a human to both approve and merge. The human should only need to approve — the merge should happen automatically once the required approvals are collected.

The vault is a decision gate, not a manual merge workflow. The human's role is to review the action TOML and approve or reject. The system handles the rest.

Current behavior

Agent creates vault PR on ops repo
Human navigates to PR, reviews it
Human must manually click merge (no approve button visible without branch protection requiring reviews)
Dispatcher picks up merged PR

Desired behavior

Agent creates vault PR on ops repo
Agent enables auto-merge on the PR via Forgejo API
Human reviews and clicks Approve
Forgejo auto-merges the PR once required approvals are met
Dispatcher picks up merged PR and fires the action

Proposed solution

1. Branch protection on ops repo `main`

Configure via Forgejo API or lib/branch-protection.sh:

required_approvals = 1 (at least one human approval)
dismiss_stale_approvals = true
Bot accounts cannot self-approve

2. Enable auto-merge when creating vault PRs

After creating the PR in lib/vault.sh:vault_request() and bin/disinto:disinto_release(), call the Forgejo auto-merge API:

POST /repos/{owner}/{repo}/pulls/{number}/merge
{
  "Do": "merge",
  "merge_when_checks_succeed": true
}

This tells Forgejo to merge automatically once branch protection requirements (approvals) are satisfied.

3. Forgejo repo setting

Enable auto-merge on the ops repo:

PATCH /repos/{owner}/{repo}
{ "allow_merge_commits": true, "autodetect_manual_merge": true }

And ensure the enable_automerge site setting is active.

Affected files

lib/vault.sh — add auto-merge API call after PR creation
bin/disinto — add auto-merge in disinto_release() after PR creation
lib/branch-protection.sh — ensure required_approvals is set on ops repo

Acceptance criteria

Vault PRs show an Approve button for admin users on Forgejo
Approving a vault PR triggers automatic merge (no manual merge step)
Bot accounts cannot approve their own vault PRs
Dispatcher picks up auto-merged PRs and fires the action
docs/VAULT.md updated to reflect the approval-based workflow

## Problem Vault PRs on the ops repo currently require a human to both **approve** and **merge**. The human should only need to approve — the merge should happen automatically once the required approvals are collected. The vault is a decision gate, not a manual merge workflow. The human's role is to review the action TOML and approve or reject. The system handles the rest. ## Current behavior 1. Agent creates vault PR on ops repo 2. Human navigates to PR, reviews it 3. Human must manually click merge (no approve button visible without branch protection requiring reviews) 4. Dispatcher picks up merged PR ## Desired behavior 1. Agent creates vault PR on ops repo 2. Agent enables **auto-merge** on the PR via Forgejo API 3. Human reviews and clicks **Approve** 4. Forgejo auto-merges the PR once required approvals are met 5. Dispatcher picks up merged PR and fires the action ## Proposed solution ### 1. Branch protection on ops repo `main` Configure via Forgejo API or `lib/branch-protection.sh`: - `required_approvals = 1` (at least one human approval) - `dismiss_stale_approvals = true` - Bot accounts cannot self-approve ### 2. Enable auto-merge when creating vault PRs After creating the PR in `lib/vault.sh:vault_request()` and `bin/disinto:disinto_release()`, call the Forgejo auto-merge API: ``` POST /repos/{owner}/{repo}/pulls/{number}/merge { "Do": "merge", "merge_when_checks_succeed": true } ``` This tells Forgejo to merge automatically once branch protection requirements (approvals) are satisfied. ### 3. Forgejo repo setting Enable auto-merge on the ops repo: ``` PATCH /repos/{owner}/{repo} { "allow_merge_commits": true, "autodetect_manual_merge": true } ``` And ensure the `enable_automerge` site setting is active. ## Affected files - `lib/vault.sh` — add auto-merge API call after PR creation - `bin/disinto` — add auto-merge in `disinto_release()` after PR creation - `lib/branch-protection.sh` — ensure required_approvals is set on ops repo ## Acceptance criteria - [ ] Vault PRs show an **Approve** button for admin users on Forgejo - [ ] Approving a vault PR triggers automatic merge (no manual merge step) - [ ] Bot accounts cannot approve their own vault PRs - [ ] Dispatcher picks up auto-merged PRs and fires the action - [ ] `docs/VAULT.md` updated to reflect the approval-based workflow