llm-d · revit13 · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026 · Feb 15, 2026
diff --git a/.github/workflows/chatops-dispatcher.yml b/.github/workflows/chatops-dispatcher.yml
@@ -0,0 +1,18 @@
+name: ChatOps Dispatcher
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  dispatch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Slash Command Dispatch
+        uses: peter-evans/slash-command-dispatch@v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commands: lgtm
+          # 1. Basic Security: Only allow users with 'write' access to even trigger this
+          permission: write
+          issue-type: pull-request
+          reactions: false
diff --git a/.github/workflows/lgtm-commad.yml b/.github/workflows/lgtm-commad.yml
@@ -0,0 +1,149 @@
+# ============================================================================
+# LGTM Command Worker
+# ============================================================================
+# Handles /lgtm commands from chatops-dispatcher
+#
+# Flow:
+# 1. User comments /lgtm on PR
+# 2. chatops-dispatcher catches it and dispatches here
+# 3. This workflow:
+#    - Verifies user is in OWNERS file
+#    - Checks if PR is draft
+#    - Checks for blocking labels (hold/wip/do-not-merge)
+#    - Adds lgtm label
+#    - Waits 5 minutes (allows gatekeeper to run)
+#    - Enables auto-merge
+# ============================================================================
+
+name: LGTM Command Worker
+on:
+  repository_dispatch:
+    types: [lgtm-command]
+
+jobs:
+  apply-lgtm:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+    steps:
+      - uses: actions/checkout@v4
+
+      # -----------------------------------------------------------------------
+      # STEP 1: AUTHORIZATION - Verify user is in OWNERS file
+      # -----------------------------------------------------------------------
+      # Only users listed as approvers in OWNERS can use /lgtm
+      # This prevents unauthorized users from approving PRs
+      - name: Check Permissions
+        id: check
+        env:
+          ACTOR: ${{ github.event.client_payload.github.actor }}
+        run: |
+          if grep -q "^\s*-\s*$ACTOR\s*$" OWNERS; then
+            echo "authorized=true" >> $GITHUB_OUTPUT
+          else
+            echo "::error::User $ACTOR is not an approver."
-            echo "::error::User $ACTOR is not an approver."
+            echo "::error:: User $ACTOR is not an approver."
-            echo "::error::User $ACTOR is not an approver."
+            echo "::error:: User $ACTOR is not an approver."
+            exit 1
+          fi
+
+      # -----------------------------------------------------------------------
+      # STEP 2: VALIDATION - Check if PR is in draft mode
+      # -----------------------------------------------------------------------
+      # Draft PRs cannot be approved - they must be marked ready for review
+      # This prevents accidental approval of incomplete work
+      - name: Check Draft Status
+        if: steps.check.outputs.authorized == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.client_payload.github.payload.issue.number }}
+          REPO: ${{ github.repository }}
+        run: |
+          IS_DRAFT=$(gh pr view $PR_NUMBER --repo "$REPO" --json isDraft --jq '.isDraft')
+          if [ "$IS_DRAFT" = "true" ]; then
+            echo "::error::Cannot LGTM a Draft PR."
+            gh issue comment $PR_NUMBER --repo "$REPO" --body "⚠️ **LGTM Failed**: PR is a Draft."
+            exit 1
+          fi
+
+      # -----------------------------------------------------------------------
+      # STEP 3: BLOCKING LABELS - Check for hold/wip/do-not-merge
+      # -----------------------------------------------------------------------
+      # If any blocking label exists, fail immediately
+      # This prevents approving PRs that are explicitly marked as not ready
+      - name: Check for Blocking Labels
+        if: steps.check.outputs.authorized == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.client_payload.github.payload.issue.html_url }}
+        run: |
+          LABELS=$(gh pr view "$PR_URL" --json labels --jq '.labels[].name')
+          if echo "$LABELS" | grep -Eiq "^(hold|wip|do-not-merge)$"; then
+            echo "::error::PR is blocked by label."
+            gh issue comment "$PR_URL" --body "  **Merge Blocked**: Please remove the \`hold\`, \`wip\`, or \`do-not-merge\` label before merging."
+            exit 1
+          fi
+
+      # -----------------------------------------------------------------------
+      # STEP 4: APPLY LGTM - Add label, wait, then enable auto-merge
+      # -----------------------------------------------------------------------
+      # 1. Add lgtm label (triggers gatekeeper to validate)
+      # 2. Wait 5 minutes (gives time for:
+      #    - Gatekeeper to run and validate
+      #    - CI checks to start
+      #    - Early failure detection)
+      # 3. Enable auto-merge (PR will merge when all checks pass)
+      - name: Apply Label & Merge
+        if: steps.check.outputs.authorized == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.BOT_TOKEN }}
+          PR_NUMBER: ${{ github.event.client_payload.github.payload.issue.number }}
+          PR_URL: ${{ github.event.client_payload.github.payload.issue.html_url }}
+        run: |
+          # Apply lgtm label
+          if ! gh issue edit "$PR_NUMBER" --add-label "lgtm"; then
+            echo "::error::Failed to add lgtm label"
+            gh issue comment "$PR_URL" --body "  **Error**: Failed to add lgtm label to the PR."
+            exit 1
+          fi
+
+          echo "Waiting 5 minutes before setting auto-merge..."
+          echo "Current time: $(date)"
+          sleep 300
+          echo "Wait completed at: $(date)"
+
+          # Enable auto-merge with error handling
+          if ! gh pr merge --auto --squash "$PR_URL" 2>&1 | tee merge_output.txt; then
+            echo "::error::Failed to enable auto-merge"
+            ERROR_MSG=$(cat merge_output.txt)
+            gh issue comment "$PR_URL" --body "  **Auto-merge failed**: Could not enable auto-merge on this PR.
+
+          **Error details:**
+          \`\`\`
+          $ERROR_MSG
+          \`\`\`
+
+          **Common reasons:**
+          - Branch protection rules not satisfied
+          - Required status checks not passing
+          - Merge conflicts present
+          - Auto-merge not enabled for this repository
+
+          Please check the PR status and try again, or merge manually."
+            exit 1
+          fi
+
+          echo "✅ Auto-merge enabled successfully"
+          gh issue comment "$PR_URL" --body "✅ **LGTM**: Auto-merge has been enabled. The PR will merge automatically once all checks pass."
+
+
+      # -----------------------------------------------------------------------
+      # STEP 5: FEEDBACK - Add reaction to comment
+      # -----------------------------------------------------------------------
+      # Visual confirmation that the command was processed successfully
+      - name: React Rocket
+        if: success()
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
+          reactions: rocket
diff --git a/.github/workflows/lgtm-gatekeeper.yml b/.github/workflows/lgtm-gatekeeper.yml
@@ -0,0 +1,42 @@
+# ============================================================================
+# LGTM Gatekeeper - Required Status Check
+# ============================================================================
+# Rules Enforced:
+# 1. PR MUST have "lgtm" label
+# 2. PR MUST NOT have blocking labels (hold, wip, do-not-merge)
+# ============================================================================
+
+name: LGTM Gatekeeper
+on:
+  pull_request:
+    # Run on PR open/reopen and label changes
+    # NOT on synchronize (handled by lgtm-reset.yml)
+    types: [opened, labeled, unlabeled, reopened]
+
+jobs:
+  validate-pr:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Enforce LGTM & Blockers
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          REPO: ${{ github.repository }}
+        run: |
+          # Fetch current labels
+          LABELS=$(gh pr view $PR_NUMBER --repo "$REPO" --json labels --jq '.labels[].name')
+
+          # Check 1: IS IT BLOCKED?
+          if echo "$LABELS" | grep -Eiq "^(hold|wip|do-not-merge)$"; then
+            echo "::error::⛔ FAILED: PR is blocked by a 'hold', 'wip', or 'do-not-merge' label."
+            exit 1
+          fi
+
+          # Check 2: IS IT APPROVED?
+          # If Reset workflow removed the label, this check fails immediately.
+          if ! echo "$LABELS" | grep -Fqx "lgtm"; then
+            echo "::error::⛔ FAILED: PR is missing the 'lgtm' label."
+            exit 1
+          fi
+
+          echo "✅ PASSED: LGTM present and no blockers."
diff --git a/.github/workflows/lgtm-reset.yml b/.github/workflows/lgtm-reset.yml
@@ -0,0 +1,39 @@
+# ============================================================================
+# LGTM Reset - Auto-Remove LGTM on New Commits
+# ============================================================================
+# Kubernetes Prow behavior: When new commits are pushed, approval is invalidated
+#
+# What It Does:
+# 1. Detects when new commits are pushed to a PR
+# 2. Removes the "lgtm" label (if present)
+# 3. Disables auto-merge (safety net)
+# 4. Posts a comment explaining why
+# ============================================================================
+
+name: LGTM Reset
+on:
+  pull_request:
+    types: [synchronize] # Triggers instantly on new commits
+
+jobs:
+  reset-lgtm:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Invalidate LGTM
+        env:
+          GH_TOKEN: ${{ secrets.BOT_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          REPO: ${{ github.repository }}
+        run: |
+          echo "🚨 New code pushed. Resetting LGTM status..."
+
+          # 1. Remove the label (This triggers the Gatekeeper to run again)
+          gh pr edit $PR_NUMBER --repo "$REPO" --remove-label "lgtm" || true
+
+          # 2. Disable Auto-Merge (Safety net)
+          gh pr merge --disable-auto $PR_NUMBER --repo "$REPO" || true
+
+          # 3. Notify user
+          gh issue comment $PR_NUMBER --repo "$REPO" --body "🔄 **Reset**: New commits pushed. LGTM removed."
diff --git a/.github/workflows/prow-github.yml b/.github/workflows/prow-github.yml
@@ -18,7 +18,7 @@ jobs:
     steps:
       - uses: jpmcb/prow-github-actions@v2.0.0
         with:
-          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          github-token: "${{ secrets.BOT_TOKEN }}"
           prow-commands: "/assign
             /unassign
             /approve
@@ -27,7 +27,6 @@ jobs:
             /kind
             /priority
             /remove
-            /lgtm
             /close
             /reopen
             /lock

diff --git a/.github/workflows/prow-pr-automerge.yml b/.github/workflows/prow-pr-automerge.yml
diff --git a/.github/workflows/prow-pr-remove-lgtm.yml b/.github/workflows/prow-pr-remove-lgtm.yml