Conversation
ericphanson
had a problem deploying
to
stopwatch
GitHub Actions
Failure
|
|
||
| # AutoMerge v1: PR validation workflow | ||
| # This workflow runs untrusted package code and validates PRs. | ||
| # It has limited token permissions (read + commit status) and never has merge access. |
There was a problem hiding this comment.
you can search this workflow; it only gets ${{ secrets.GITHUB_TOKEN }}, NOT the tagbot token
| - name: AutoMerge.merge_prs | ||
| env: | ||
| AUTOMERGE_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| AUTOMERGE_MERGE_TOKEN: ${{ secrets.TAGBOT_TOKEN }} |
There was a problem hiding this comment.
the merge workflow uses the tagbot token, but never loads user code
|
This pull request has been inactive for 30 days and will be automatically closed 7 days from now. If this pull request should not be closed, please either (1) fix the AutoMerge issues and re-trigger Registrator, which will automatically update the pull request, or (2) post a comment explaining why you would like this pull request to be manually merged. [noblock] |
|
This pull request has been inactive for more than 30 days and has automatically been closed. Feel free to register your package or version again once you fix the AutoMerge issues. [noblock] |
ericphanson
had a problem deploying
to
stopwatch
GitHub Actions
Failure
|
This pull request has been inactive for 30 days and will be automatically closed 7 days from now. If this pull request should not be closed, please either (1) fix the AutoMerge issues and re-trigger Registrator, which will automatically update the pull request, or (2) post a comment explaining why you would like this pull request to be manually merged. [noblock] |
|
This pull request has been inactive for more than 30 days and has automatically been closed. Feel free to register your package or version again once you fix the AutoMerge issues. [noblock] |
1 participant
Note: I'm getting this ready but AutoMerge v1 is not released yet
AutoMerge v1 Migration
This PR migrates the AutoMerge workflow from the pre-v1 API to AutoMerge v1, which separates PR validation from PR merging.
Changes
The monolithic
automerge.ymlworkflow has been split into three separate workflows:automerge_check.yml- Validates PRs usingAutoMerge.check_pr(). Runs on pull_request events only. Has limited token access (read + commit status) and runs untrusted package code.automerge_merge.yml- Merges approved PRs usingAutoMerge.merge_prs(). Runs on schedule and workflow_dispatch events only (never on PRs). Has write token access but never executes untrusted code.automerge_stopwatch.yml- Polling mechanism that maintains the 8-minute merge cadence. Triggers on PR events, schedule, and workflow_dispatch. Checks time since last merge and triggersautomerge_merge.ymlvia workflow_dispatch when needed.Implementation Details
RegistryCI.AutoMerge.run()→AutoMerge.check_pr()/AutoMerge.merge_prs().ci/→.ci/AutoMerge/for check/merge workflowsAUTOMERGE_TAGBOT_TOKEN→AUTOMERGE_MERGE_TOKENAutoMerge.general_registry_config()instead of keyword argumentsStopwatch Mechanism
The stopwatch workflow runs on every PR event from non-forks, providing frequent polling intervals to maintain the 8-minute merge cadence. Without PR events, it would only check every 4 hours (cron schedule). This preserves the existing behavior where PR activity drives continuous merge operations.
Security Model
The split ensures that workflows running untrusted code (PR validation) never have access to merge credentials, while workflows with merge access never run on PR events or execute untrusted code. We already had this split by very finnicky IF conditions in our workflows, but this should make it much clearer and more straightforward. I.e. there is not an active security problem that this is fixing.
written with Claude, but checked by me