From 7b9c483477d08128c58f7ba273a3a0b83a290a40 Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Fri, 3 Apr 2026 06:29:35 +0000
Subject: [PATCH 1/2] fix: feat: vault PRs should auto-merge after approval
 (#170)

---
 bin/disinto   | 12 +++++++++++-
 docs/VAULT.md |  7 +++++--
 lib/vault.sh  | 10 ++++++++++
 3 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/bin/disinto b/bin/disinto
index 2776e41..fa3cc37 100755
--- a/bin/disinto
+++ b/bin/disinto
@@ -2974,12 +2974,22 @@ This PR creates a vault item for the release of version ${version}.
 
   local pr_url="${FORGE_URL}/${FORGE_OPS_REPO}/pulls/${pr_number}"
 
+  # Enable auto-merge on the PR — Forgejo will auto-merge after approval
+  _vault_log "Enabling auto-merge for PR #${pr_number}"
+  curl -sf -X POST \
+    -H "Authorization: token ${FORGE_TOKEN}" \
+    -H "Content-Type: application/json" \
+    "${FORGE_URL}/api/v1/repos/${FORGE_OPS_REPO}/pulls/${pr_number}/merge" \
+    -d '{"Do":"merge","merge_when_checks_succeed":false}' >/dev/null 2>&1 || {
+    echo "Warning: failed to enable auto-merge (may already be enabled or not supported)" >&2
+  }
+
   echo ""
   echo "Release PR created: ${pr_url}"
   echo ""
   echo "Next steps:"
   echo "  1. Review the PR"
-  echo "  2. Approve and merge (requires 2 reviewers for vault items)"
+  echo "  2. Approve the PR (auto-merge will trigger after approval)"
   echo "  3. The vault runner will execute the release formula"
   echo ""
   echo "After merge, the release will:"
diff --git a/docs/VAULT.md b/docs/VAULT.md
index da2c1a9..838c364 100644
--- a/docs/VAULT.md
+++ b/docs/VAULT.md
@@ -33,9 +33,11 @@ The `main` branch on the ops repo (`johba/disinto-ops`) is protected via Forgejo
    - Title: `vault: <action-id>`
    - Labels: `vault`, `pending-approval`
    - File: `vault/actions/<action-id>.toml`
+   - **Auto-merge enabled** — Forgejo will auto-merge after approval
 4. **Approval** — Admin user reviews and approves the PR
-5. **Execution** — Dispatcher (issue #76) polls for approved vault PRs and executes them
-6. **Cleanup** — Executed vault items are moved to `fired/` (via PR)
+5. **Auto-merge** — Forgejo automatically merges the PR once required approvals are met
+6. **Execution** — Dispatcher (issue #76) polls for merged vault PRs and executes them
+7. **Cleanup** — Executed vault items are moved to `fired/` (via PR)
 
 ## Bot Account Behavior
 
@@ -43,6 +45,7 @@ Bot accounts (dev-bot, review-bot, vault-bot, etc.) **cannot merge vault PRs** e
 
 - Only human admins can approve sensitive vault actions
 - Bot accounts can only create vault PRs, not execute them
+- Bot accounts cannot self-approve vault PRs (Forgejo prevents this automatically)
 - Manual admin review is always required for privileged operations
 
 ## Setup
diff --git a/lib/vault.sh b/lib/vault.sh
index 8ca4f38..bd3a211 100644
--- a/lib/vault.sh
+++ b/lib/vault.sh
@@ -187,6 +187,16 @@ before execution. See the TOML file for details."
     return 1
   }
 
+  # Enable auto-merge on the PR — Forgejo will auto-merge after approval
+  _vault_log "Enabling auto-merge for PR #${pr_num}"
+  curl -sf -X POST \
+    -H "Authorization: token ${FORGE_TOKEN}" \
+    -H "Content-Type: application/json" \
+    "${ops_api}/pulls/${pr_num}/merge" \
+    -d '{"Do":"merge","merge_when_checks_succeed":false}' >/dev/null 2>&1 || {
+    _vault_log "Warning: failed to enable auto-merge (may already be enabled or not supported)"
+  }
+
   # Add labels to PR (vault, pending-approval)
   _vault_log "PR #${pr_num} created, adding labels"
 

From a916904e7624275bac5af9eeaa291c38706debdf Mon Sep 17 00:00:00 2001
From: Agent <agent@example.com>
Date: Fri, 3 Apr 2026 06:37:13 +0000
Subject: [PATCH 2/2] fix: correct merge_when_checks_succeed to true for
 auto-merge (#170)

---
 bin/disinto  | 2 +-
 lib/vault.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/bin/disinto b/bin/disinto
index fa3cc37..b008ff1 100755
--- a/bin/disinto
+++ b/bin/disinto
@@ -2980,7 +2980,7 @@ This PR creates a vault item for the release of version ${version}.
     -H "Authorization: token ${FORGE_TOKEN}" \
     -H "Content-Type: application/json" \
     "${FORGE_URL}/api/v1/repos/${FORGE_OPS_REPO}/pulls/${pr_number}/merge" \
-    -d '{"Do":"merge","merge_when_checks_succeed":false}' >/dev/null 2>&1 || {
+    -d '{"Do":"merge","merge_when_checks_succeed":true}' >/dev/null 2>&1 || {
     echo "Warning: failed to enable auto-merge (may already be enabled or not supported)" >&2
   }
 
diff --git a/lib/vault.sh b/lib/vault.sh
index bd3a211..812d464 100644
--- a/lib/vault.sh
+++ b/lib/vault.sh
@@ -193,7 +193,7 @@ before execution. See the TOML file for details."
     -H "Authorization: token ${FORGE_TOKEN}" \
     -H "Content-Type: application/json" \
     "${ops_api}/pulls/${pr_num}/merge" \
-    -d '{"Do":"merge","merge_when_checks_succeed":false}' >/dev/null 2>&1 || {
+    -d '{"Do":"merge","merge_when_checks_succeed":true}' >/dev/null 2>&1 || {
     _vault_log "Warning: failed to enable auto-merge (may already be enabled or not supported)"
   }