johba/disinto
1
0
Fork 0
Code Issues 3 Pull requests Projects Releases Packages Wiki Activity Actions

fix: feat: vault PRs should auto-merge after approval (#170)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline was successful
Details

Browse source
This commit is contained in:
Agent 2026-04-03 06:29:35 +00:00
parent 958d3d2a84
commit 7b9c483477
3 changed files with 26 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

12
bin/disinto
View file

@ -2974,12 +2974,22 @@ This PR creates a vault item for the release of version ${version}.
local pr_url="${FORGE_URL}/${FORGE_OPS_REPO}/pulls/${pr_number}" local pr_url="${FORGE_URL}/${FORGE_OPS_REPO}/pulls/${pr_number}"
# Enable auto-merge on the PR — Forgejo will auto-merge after approval
_vault_log "Enabling auto-merge for PR #${pr_number}"
curl -sf -X POST \
-H "Authorization: token ${FORGE_TOKEN}" \
-H "Content-Type: application/json" \
"${FORGE_URL}/api/v1/repos/${FORGE_OPS_REPO}/pulls/${pr_number}/merge" \
-d '{"Do":"merge","merge_when_checks_succeed":false}' >/dev/null 2>&1 || {
echo "Warning: failed to enable auto-merge (may already be enabled or not supported)" >&2
}
echo "" echo ""
echo "Release PR created: ${pr_url}" echo "Release PR created: ${pr_url}"
echo "" echo ""
echo "Next steps:" echo "Next steps:"
echo " 1. Review the PR" echo " 1. Review the PR"
echo " 2. Approve and merge (requires 2 reviewers for vault items)" echo " 2. Approve the PR (auto-merge will trigger after approval)"
echo " 3. The vault runner will execute the release formula" echo " 3. The vault runner will execute the release formula"
echo "" echo ""
echo "After merge, the release will:" echo "After merge, the release will:"

7
docs/VAULT.md
View file

@ -33,9 +33,11 @@ The `main` branch on the ops repo (`johba/disinto-ops`) is protected via Forgejo
- Title: `vault: <action-id>` - Title: `vault: <action-id>`
- Labels: `vault`, `pending-approval` - Labels: `vault`, `pending-approval`
- File: `vault/actions/<action-id>.toml` - File: `vault/actions/<action-id>.toml`
- **Auto-merge enabled** — Forgejo will auto-merge after approval
4. **Approval** — Admin user reviews and approves the PR 4. **Approval** — Admin user reviews and approves the PR
5. **Execution** — Dispatcher (issue #76) polls for approved vault PRs and executes them 5. **Auto-merge** — Forgejo automatically merges the PR once required approvals are met
6. **Cleanup** — Executed vault items are moved to `fired/` (via PR) 6. **Execution** — Dispatcher (issue #76) polls for merged vault PRs and executes them
7. **Cleanup** — Executed vault items are moved to `fired/` (via PR)
## Bot Account Behavior ## Bot Account Behavior
@ -43,6 +45,7 @@ Bot accounts (dev-bot, review-bot, vault-bot, etc.) **cannot merge vault PRs** e
- Only human admins can approve sensitive vault actions - Only human admins can approve sensitive vault actions
- Bot accounts can only create vault PRs, not execute them - Bot accounts can only create vault PRs, not execute them
- Bot accounts cannot self-approve vault PRs (Forgejo prevents this automatically)
- Manual admin review is always required for privileged operations - Manual admin review is always required for privileged operations
## Setup ## Setup

10
lib/vault.sh
View file

@ -187,6 +187,16 @@ before execution. See the TOML file for details."
return 1 return 1
} }
# Enable auto-merge on the PR — Forgejo will auto-merge after approval
_vault_log "Enabling auto-merge for PR #${pr_num}"
curl -sf -X POST \
-H "Authorization: token ${FORGE_TOKEN}" \
-H "Content-Type: application/json" \
"${ops_api}/pulls/${pr_num}/merge" \
-d '{"Do":"merge","merge_when_checks_succeed":false}' >/dev/null 2>&1 || {
_vault_log "Warning: failed to enable auto-merge (may already be enabled or not supported)"
}
# Add labels to PR (vault, pending-approval) # Add labels to PR (vault, pending-approval)
_vault_log "PR #${pr_num} created, adding labels" _vault_log "PR #${pr_num} created, adding labels"