fix: dispatcher should verify admin approver, not merger #186

New issue

Closed

opened 2026-04-03 12:22:51 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-03 12:22:51 +00:00

Collaborator

Problem

The dispatcher (docker/edge/dispatcher.sh) verifies vault actions by checking whether the merger of the PR is an admin (verify_admin_merged -> get_pr_merger). With the auto-merge workflow (#170), the merger is always the bot that requested auto-merge (e.g. dev-bot), not the human who approved the PR.

This causes all auto-merged vault PRs to be rejected:

Action release-v020 arrived via PR #7
WARNING: PR #7 merged by non-admin user dev-bot - skipping
ERROR: Admin merge verification failed for release-v020

Meanwhile the Forgejo reviews API shows the actual approval:

GET /repos/dev-bot/disinto-ops/pulls/7/reviews
-> reviewer: disinto-admin, state: APPROVED

Root cause

The vault security model is "an admin approved this action", not "an admin clicked merge". With auto-merge, these are different identities:

Merger = bot that requested auto-merge (dev-bot)
Approver = human who reviewed and approved (disinto-admin)

Proposed solution

Change verify_admin_merged() in docker/edge/dispatcher.sh to check PR reviews instead of (or in addition to) the merger:

Fetch reviews via Forgejo API: GET /repos/{owner}/{repo}/pulls/{number}/reviews
Check that at least one review has state=APPROVED from an admin user
Keep the existing merger check as a fallback for manually merged PRs

Affected files

docker/edge/dispatcher.sh (verify_admin_merged, get_pr_merger)

Acceptance criteria

Auto-merged vault PRs approved by an admin pass verification
Vault PRs without any admin approval are still rejected
Manually merged PRs by admins still pass (backwards compat)
Bot self-approvals are rejected (bots are not admins)

Dependencies

Depends on #170

## Problem The dispatcher (docker/edge/dispatcher.sh) verifies vault actions by checking whether the **merger** of the PR is an admin (verify_admin_merged -> get_pr_merger). With the auto-merge workflow (#170), the merger is always the bot that requested auto-merge (e.g. dev-bot), not the human who approved the PR. This causes all auto-merged vault PRs to be rejected: Action release-v020 arrived via PR #7 WARNING: PR #7 merged by non-admin user dev-bot - skipping ERROR: Admin merge verification failed for release-v020 Meanwhile the Forgejo reviews API shows the actual approval: GET /repos/dev-bot/disinto-ops/pulls/7/reviews -> reviewer: disinto-admin, state: APPROVED ## Root cause The vault security model is "an admin approved this action", not "an admin clicked merge". With auto-merge, these are different identities: - **Merger** = bot that requested auto-merge (dev-bot) - **Approver** = human who reviewed and approved (disinto-admin) ## Proposed solution Change verify_admin_merged() in docker/edge/dispatcher.sh to check PR **reviews** instead of (or in addition to) the merger: 1. Fetch reviews via Forgejo API: GET /repos/{owner}/{repo}/pulls/{number}/reviews 2. Check that at least one review has state=APPROVED from an admin user 3. Keep the existing merger check as a fallback for manually merged PRs ## Affected files - docker/edge/dispatcher.sh (verify_admin_merged, get_pr_merger) ## Acceptance criteria - [ ] Auto-merged vault PRs approved by an admin pass verification - [ ] Vault PRs without any admin approval are still rejected - [ ] Manually merged PRs by admins still pass (backwards compat) - [ ] Bot self-approvals are rejected (bots are not admins) ## Dependencies Depends on #170