diff --git a/bin/disinto b/bin/disinto index 2776e41..b008ff1 100755 --- a/bin/disinto +++ b/bin/disinto @@ -2974,12 +2974,22 @@ This PR creates a vault item for the release of version ${version}. local pr_url="${FORGE_URL}/${FORGE_OPS_REPO}/pulls/${pr_number}" + # Enable auto-merge on the PR — Forgejo will auto-merge after approval + _vault_log "Enabling auto-merge for PR #${pr_number}" + curl -sf -X POST \ + -H "Authorization: token ${FORGE_TOKEN}" \ + -H "Content-Type: application/json" \ + "${FORGE_URL}/api/v1/repos/${FORGE_OPS_REPO}/pulls/${pr_number}/merge" \ + -d '{"Do":"merge","merge_when_checks_succeed":true}' >/dev/null 2>&1 || { + echo "Warning: failed to enable auto-merge (may already be enabled or not supported)" >&2 + } + echo "" echo "Release PR created: ${pr_url}" echo "" echo "Next steps:" echo " 1. Review the PR" - echo " 2. Approve and merge (requires 2 reviewers for vault items)" + echo " 2. Approve the PR (auto-merge will trigger after approval)" echo " 3. The vault runner will execute the release formula" echo "" echo "After merge, the release will:" diff --git a/docs/VAULT.md b/docs/VAULT.md index da2c1a9..838c364 100644 --- a/docs/VAULT.md +++ b/docs/VAULT.md @@ -33,9 +33,11 @@ The `main` branch on the ops repo (`johba/disinto-ops`) is protected via Forgejo - Title: `vault: ` - Labels: `vault`, `pending-approval` - File: `vault/actions/.toml` + - **Auto-merge enabled** — Forgejo will auto-merge after approval 4. **Approval** — Admin user reviews and approves the PR -5. **Execution** — Dispatcher (issue #76) polls for approved vault PRs and executes them -6. **Cleanup** — Executed vault items are moved to `fired/` (via PR) +5. **Auto-merge** — Forgejo automatically merges the PR once required approvals are met +6. **Execution** — Dispatcher (issue #76) polls for merged vault PRs and executes them +7. **Cleanup** — Executed vault items are moved to `fired/` (via PR) ## Bot Account Behavior @@ -43,6 +45,7 @@ Bot accounts (dev-bot, review-bot, vault-bot, etc.) **cannot merge vault PRs** e - Only human admins can approve sensitive vault actions - Bot accounts can only create vault PRs, not execute them +- Bot accounts cannot self-approve vault PRs (Forgejo prevents this automatically) - Manual admin review is always required for privileged operations ## Setup diff --git a/lib/vault.sh b/lib/vault.sh index 8ca4f38..812d464 100644 --- a/lib/vault.sh +++ b/lib/vault.sh @@ -187,6 +187,16 @@ before execution. See the TOML file for details." return 1 } + # Enable auto-merge on the PR — Forgejo will auto-merge after approval + _vault_log "Enabling auto-merge for PR #${pr_num}" + curl -sf -X POST \ + -H "Authorization: token ${FORGE_TOKEN}" \ + -H "Content-Type: application/json" \ + "${ops_api}/pulls/${pr_num}/merge" \ + -d '{"Do":"merge","merge_when_checks_succeed":true}' >/dev/null 2>&1 || { + _vault_log "Warning: failed to enable auto-merge (may already be enabled or not supported)" + } + # Add labels to PR (vault, pending-approval) _vault_log "PR #${pr_num} created, adding labels"