Merge pull request 'fix: feat: vault PRs should auto-merge after approval (#170)' (#173) from fix/issue-170 into main
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
This commit is contained in:
commit
2dbe6a85f4
3 changed files with 26 additions and 3 deletions
12
bin/disinto
12
bin/disinto
|
|
@ -2974,12 +2974,22 @@ This PR creates a vault item for the release of version ${version}.
|
|||
|
||||
local pr_url="${FORGE_URL}/${FORGE_OPS_REPO}/pulls/${pr_number}"
|
||||
|
||||
# Enable auto-merge on the PR — Forgejo will auto-merge after approval
|
||||
_vault_log "Enabling auto-merge for PR #${pr_number}"
|
||||
curl -sf -X POST \
|
||||
-H "Authorization: token ${FORGE_TOKEN}" \
|
||||
-H "Content-Type: application/json" \
|
||||
"${FORGE_URL}/api/v1/repos/${FORGE_OPS_REPO}/pulls/${pr_number}/merge" \
|
||||
-d '{"Do":"merge","merge_when_checks_succeed":true}' >/dev/null 2>&1 || {
|
||||
echo "Warning: failed to enable auto-merge (may already be enabled or not supported)" >&2
|
||||
}
|
||||
|
||||
echo ""
|
||||
echo "Release PR created: ${pr_url}"
|
||||
echo ""
|
||||
echo "Next steps:"
|
||||
echo " 1. Review the PR"
|
||||
echo " 2. Approve and merge (requires 2 reviewers for vault items)"
|
||||
echo " 2. Approve the PR (auto-merge will trigger after approval)"
|
||||
echo " 3. The vault runner will execute the release formula"
|
||||
echo ""
|
||||
echo "After merge, the release will:"
|
||||
|
|
|
|||
|
|
@ -33,9 +33,11 @@ The `main` branch on the ops repo (`johba/disinto-ops`) is protected via Forgejo
|
|||
- Title: `vault: <action-id>`
|
||||
- Labels: `vault`, `pending-approval`
|
||||
- File: `vault/actions/<action-id>.toml`
|
||||
- **Auto-merge enabled** — Forgejo will auto-merge after approval
|
||||
4. **Approval** — Admin user reviews and approves the PR
|
||||
5. **Execution** — Dispatcher (issue #76) polls for approved vault PRs and executes them
|
||||
6. **Cleanup** — Executed vault items are moved to `fired/` (via PR)
|
||||
5. **Auto-merge** — Forgejo automatically merges the PR once required approvals are met
|
||||
6. **Execution** — Dispatcher (issue #76) polls for merged vault PRs and executes them
|
||||
7. **Cleanup** — Executed vault items are moved to `fired/` (via PR)
|
||||
|
||||
## Bot Account Behavior
|
||||
|
||||
|
|
@ -43,6 +45,7 @@ Bot accounts (dev-bot, review-bot, vault-bot, etc.) **cannot merge vault PRs** e
|
|||
|
||||
- Only human admins can approve sensitive vault actions
|
||||
- Bot accounts can only create vault PRs, not execute them
|
||||
- Bot accounts cannot self-approve vault PRs (Forgejo prevents this automatically)
|
||||
- Manual admin review is always required for privileged operations
|
||||
|
||||
## Setup
|
||||
|
|
|
|||
10
lib/vault.sh
10
lib/vault.sh
|
|
@ -187,6 +187,16 @@ before execution. See the TOML file for details."
|
|||
return 1
|
||||
}
|
||||
|
||||
# Enable auto-merge on the PR — Forgejo will auto-merge after approval
|
||||
_vault_log "Enabling auto-merge for PR #${pr_num}"
|
||||
curl -sf -X POST \
|
||||
-H "Authorization: token ${FORGE_TOKEN}" \
|
||||
-H "Content-Type: application/json" \
|
||||
"${ops_api}/pulls/${pr_num}/merge" \
|
||||
-d '{"Do":"merge","merge_when_checks_succeed":true}' >/dev/null 2>&1 || {
|
||||
_vault_log "Warning: failed to enable auto-merge (may already be enabled or not supported)"
|
||||
}
|
||||
|
||||
# Add labels to PR (vault, pending-approval)
|
||||
_vault_log "PR #${pr_num} created, adding labels"
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue