ci(arm-auto-merge): dispatch-triggered Model B wire, no PAT (MCP-1249)

Dumbris · Dumbris · commit 608c710b3378 · 2026-06-07T07:00:57.000+03:00
Task B follow-up to MCP-1248. Adds .github/workflows/arm-auto-merge.yml:
repository_dispatch (event_type: arm-auto-merge) + workflow_dispatch trigger
that runs inside Actions under the built-in GITHUB_TOKEN (github-actions[bot]),
re-checks PR head SHA (spec-075 drift guard) + qa-gate=success, posts the
approving review (reflecting the Paperclip ACCEPT verdict, counts toward
required_approving_review_count) and arms 'gh pr merge --auto --squash'.

Closes the 'GitHub sees 0 approvals' gap for code PRs with NO new secret and
no --admin. scripts/arm-auto-merge.sh retained as the manual/PAT fallback.
Cockpit Gate-3 Approve -&gt; dispatch wiring lives in the Paperclip control-plane
(documented in docs/qa-merge-gate.md), out of this repo's lane.

actionlint clean.
diff --git a/.github/workflows/arm-auto-merge.yml b/.github/workflows/arm-auto-merge.yml
@@ -0,0 +1,130 @@
+# Arm auto-merge for a code PR — Model B "missing wire" (MCP-1249, follow-up to
+# MCP-1248). This is the no-human-credential half of `scripts/arm-auto-merge.sh`.
+#
+# WHY THIS EXISTS
+#   `scripts/arm-auto-merge.sh` (Option A) needs a repo-scoped bot PAT / GitHub
+#   App token minted by a GitHub human/org identity and stored with the agent
+#   secrets. This workflow (Option B) needs NO new secret: the cockpit fires a
+#   `repository_dispatch` on Gate-3 Approve using the gh login it already has,
+#   and the approve+arm happens *inside Actions* under the built-in
+#   `GITHUB_TOKEN` (the `github-actions[bot]` identity). A `github-actions[bot]`
+#   approval counts toward `required_approving_review_count` (same identity
+#   qa-gate-trivial / dependabot-auto-merge already rely on), so this closes the
+#   "GitHub sees 0 approvals" gap with no PAT and no `gh pr merge --admin`.
+#
+# INVARIANTS (identical to scripts/arm-auto-merge.sh — keep them in sync)
+#   - Agents ARM auto-merge; they NEVER bypass a required check. No `--admin`,
+#     no `bypass_pull_request_allowances`.
+#   - spec-075: a PASS is valid only while PR head == the blessed SHA. We
+#     re-verify the live PR head still equals `head_sha` before approving, and
+#     refuse on drift.
+#   - `qa-gate` must be `success` at that exact SHA before we approve.
+#
+# DISPATCH CONTRACT (how the cockpit Gate-3 Approve fires this)
+#   repository_dispatch:
+#     event_type: arm-auto-merge
+#     client_payload: { "pr": <number>, "head_sha": "<40-hex>", "body": "<optional>" }
+#   e.g. from the cockpit's existing gh login (no new credential):
+#     gh api repos/${REPO}/dispatches -f event_type=arm-auto-merge \
+#       -F 'client_payload[pr]=607' -F 'client_payload[head_sha]=fe9fb8e...'
+#   `workflow_dispatch` below is the manual equivalent for owner/debug use.
+#
+# See docs/qa-merge-gate.md ("Merging without --admin").
+name: Arm auto-merge (Model B)
+
+on:
+  repository_dispatch:
+    types: [arm-auto-merge]
+  workflow_dispatch:
+    inputs:
+      pr:
+        description: PR number to arm
+        required: true
+      head_sha:
+        description: Expected PR head SHA (spec-075 drift guard)
+        required: true
+      body:
+        description: Approval body (optional)
+        required: false
+
+# contents: write + pull-requests: write are needed to post the approving review
+# and arm `gh pr merge --auto`. statuses is read implicitly (commit status read
+# needs no extra scope). No `--admin` path is ever taken.
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  arm:
+    name: arm-auto-merge
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Resolve inputs (repository_dispatch | workflow_dispatch)
+        id: in
+        env:
+          # repository_dispatch carries client_payload.*; workflow_dispatch
+          # carries inputs.*. Exactly one set is populated per run.
+          RD_PR: ${{ github.event.client_payload.pr }}
+          RD_SHA: ${{ github.event.client_payload.head_sha }}
+          RD_BODY: ${{ github.event.client_payload.body }}
+          WD_PR: ${{ github.event.inputs.pr }}
+          WD_SHA: ${{ github.event.inputs.head_sha }}
+          WD_BODY: ${{ github.event.inputs.body }}
+        run: |
+          PR="${RD_PR:-$WD_PR}"
+          SHA="${RD_SHA:-$WD_SHA}"
+          BODY="${RD_BODY:-$WD_BODY}"
+          if [[ -z "$PR" || -z "$SHA" ]]; then
+            echo "::error::missing pr and/or head_sha (got pr='$PR' head_sha='$SHA')"
+            exit 2
+          fi
+          if [[ ! "$SHA" =~ ^[0-9a-f]{7,40}$ ]]; then
+            echo "::error::head_sha is not a hex SHA: '$SHA'"
+            exit 2
+          fi
+          {
+            echo "pr=$PR"
+            echo "sha=$SHA"
+            echo "body=${BODY:-Approved (Model B): Paperclip review verdicts = ACCEPT and qa-gate green at this head SHA. Arming auto-merge; GitHub merges when all required checks pass.}"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Verify head SHA + qa-gate, then approve & arm
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          PR: ${{ steps.in.outputs.pr }}
+          EXPECTED_SHA: ${{ steps.in.outputs.sha }}
+          BODY: ${{ steps.in.outputs.body }}
+        run: |
+          set -euo pipefail
+
+          # 1. spec-075: live PR head must still equal the blessed SHA.
+          LIVE_SHA="$(gh pr view "$PR" --repo "$REPO" --json headRefOid -q .headRefOid)"
+          # Allow a short (>=7) prefix from the dispatcher to match the full OID.
+          if [[ "$LIVE_SHA" != "$EXPECTED_SHA" && "${LIVE_SHA#"$EXPECTED_SHA"}" == "$LIVE_SHA" ]]; then
+            echo "::error::head SHA drifted: blessed=$EXPECTED_SHA live=$LIVE_SHA — re-run QA/review on the new head; refusing to approve."
+            exit 3
+          fi
+
+          # 2. qa-gate must be success at this exact SHA.
+          QA_STATE="$(gh api "repos/${REPO}/commits/${LIVE_SHA}/status" \
+            -q '.statuses[] | select(.context=="qa-gate") | .state' 2>/dev/null | head -1 || true)"
+          if [[ "$QA_STATE" != "success" ]]; then
+            echo "::error::qa-gate is '${QA_STATE:-missing}' at ${LIVE_SHA} (need success) — refusing to approve."
+            exit 4
+          fi
+
+          # 3. Never approve a PR authored by our own bot identity (GitHub would
+          #    reject it anyway; fail loudly so a misroute is visible).
+          AUTHOR="$(gh pr view "$PR" --repo "$REPO" --json author -q .author.login)"
+          if [[ "$AUTHOR" == "github-actions[bot]" ]]; then
+            echo "::error::PR #$PR is authored by github-actions[bot]; cannot self-approve."
+            exit 5
+          fi
+
+          # 4. Post the approving review (reflects the Paperclip ACCEPT verdict;
+          #    counts toward required_approving_review_count) and arm auto-merge.
+          gh pr review --approve "$PR" --repo "$REPO" --body "$BODY"
+          gh pr merge --auto --squash "$PR" --repo "$REPO"
+          echo "armed auto-merge for PR #$PR at $LIVE_SHA (merges when all required checks are green)"
diff --git a/docs/qa-merge-gate.md b/docs/qa-merge-gate.md
@@ -101,15 +101,34 @@ The moving parts (all without `--admin`):
 |---|---|---|
 | Trivial / docs / CI-metadata PRs | Auto-post `qa-gate=success` when the diff touches **no** code-bearing path (`**/*.go`, `go.mod/sum`, `cmd/**`, `internal/**`, `frontend/src/**`, `native/**`); code PRs are left to the real QATester. | `.github/workflows/qa-gate-trivial.yml` |
 | Dependabot patch + minor | `dependabot/fetch-metadata` → `github-actions[bot]` approving review (counts) → `gh pr merge --auto --squash`. Majors still need a human. | `.github/workflows/dependabot-auto-merge.yml` |
-| Code PRs (owner + Paperclip) | After Paperclip verdicts = ACCEPT **and** `qa-gate=success` at head SHA, a bot identity posts a GitHub approving review (reflecting the verdict) and arms auto-merge. Gate 3 stays a human **Approve** button; merge fires only when all 11 checks are green. | `scripts/arm-auto-merge.sh` |
-
-`scripts/arm-auto-merge.sh` re-checks the live PR head against the SHA it was
-blessed at (refuses on drift) and that `qa-gate` is `success` at that SHA before
-approving — so the spec-075 rule is enforced in the merge path, not just the
-status. It needs a **repo-scoped fine-grained PAT or GitHub App token**
-(Contents RW, Pull requests RW, Commit statuses RW) injected as `GH_TOKEN`,
-stored with the agent secrets (`searcher/agents/.env` pattern, gitignored) —
-**not** the owner's `--admin`-capable login.
+| Code PRs (owner + Paperclip) — **no credential, recommended** | On cockpit Gate-3 Approve the cockpit fires a `repository_dispatch` (`event_type: arm-auto-merge`) using the gh login it already has. The workflow runs *inside Actions* under the built-in `GITHUB_TOKEN` (`github-actions[bot]`), re-checks head SHA + `qa-gate=success`, posts the approving review (reflecting the Paperclip ACCEPT verdict) and arms auto-merge. No new secret, no PAT. | `.github/workflows/arm-auto-merge.yml` |
+| Code PRs (owner + Paperclip) — **manual / PAT fallback** | Same verification + approve + arm, run locally with a repo-scoped bot PAT / App token. Use when Actions dispatch isn't available. | `scripts/arm-auto-merge.sh` |
+
+Both paths re-check the live PR head against the SHA they were blessed at
+(refuse on drift) and that `qa-gate` is `success` at that SHA before approving —
+so the spec-075 rule is enforced in the merge path, not just the status. Gate 3
+stays a human **Approve** button; merge fires only when all 11 checks are green.
+
+**Recommended path — `.github/workflows/arm-auto-merge.yml` (Option B, no new
+credential).** The cockpit Approve fires:
+
+```bash
+gh api repos/${REPO}/dispatches -f event_type=arm-auto-merge \
+  -F 'client_payload[pr]=<number>' -F 'client_payload[head_sha]=<blessed-sha>'
+```
+
+The workflow approves+arms under `github-actions[bot]` — the same identity
+`qa-gate-trivial` and `dependabot-auto-merge` already use, whose approval counts
+toward `required_approving_review_count`. A `workflow_dispatch` trigger gives the
+owner the same action manually for debug. **Cockpit wiring of the Gate-3 Approve
+button to this dispatch lives in the Paperclip cockpit (control-plane), not in
+this repo** — see MCP-1249.
+
+**Fallback path — `scripts/arm-auto-merge.sh` (Option A).** Needs a
+**repo-scoped fine-grained PAT or GitHub App token** (Contents RW, Pull requests
+RW, Commit statuses RW) injected as `GH_TOKEN`, stored with the agent secrets
+(`searcher/agents/.env` pattern, gitignored) — **not** the owner's
+`--admin`-capable login.
 
 **Gate-3 doctrine** (supersedes "agents never merge PRs; a human merges"):
 agents may post their review (reflecting the Paperclip verdict) and **arm**
