ci: merge without --admin (Model B) — qa-gate-trivial + dependabot + arm-auto-merge (MCP-1248, MCP-1249)#620
Merged
Conversation
…to-merge + arm script Land PRs through GitHub auto-merge instead of `gh pr merge --admin`, keeping every required check (incl. qa-gate) meaningful. Agents arm auto-merge; they never bypass. - qa-gate-trivial.yml: post qa-gate=success for PRs touching no code-bearing path (dorny/paths-filter, required-safe); code PRs left to the real QATester (preserves spec-075 head-SHA invariant). - dependabot-auto-merge.yml: fetch-metadata -> bot approving review (counts) -> auto-merge --squash, gated to patch+minor; majors get a human. - scripts/arm-auto-merge.sh: after Paperclip ACCEPT + qa-gate green at head SHA, a bot identity approves and arms auto-merge; re-checks head drift + qa-gate before approving; never --admin. - docs/qa-merge-gate.md: Model B doctrine + reframe --admin as emergency-only. Task B credential provisioning (repo-scoped fine-grained PAT / GitHub App) is a follow-up owner action. Refs MCP-1248
Deploying mcpproxy-docs with
|
| Latest commit: |
608c710
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://df916097.mcpproxy-docs.pages.dev |
| Branch Preview URL: | https://releng-mcp-1248-merge-withou.mcpproxy-docs.pages.dev |
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Task B follow-up to MCP-1248. Adds .github/workflows/arm-auto-merge.yml: repository_dispatch (event_type: arm-auto-merge) + workflow_dispatch trigger that runs inside Actions under the built-in GITHUB_TOKEN (github-actions[bot]), re-checks PR head SHA (spec-075 drift guard) + qa-gate=success, posts the approving review (reflecting the Paperclip ACCEPT verdict, counts toward required_approving_review_count) and arms 'gh pr merge --auto --squash'. Closes the 'GitHub sees 0 approvals' gap for code PRs with NO new secret and no --admin. scripts/arm-auto-merge.sh retained as the manual/PAT fallback. Cockpit Gate-3 Approve -> dispatch wiring lives in the Paperclip control-plane (documented in docs/qa-merge-gate.md), out of this repo's lane. actionlint clean.
Dumbris
changed the title
📦 Build ArtifactsWorkflow Run: View Run Available Artifacts
How to DownloadOption 1: GitHub Web UI (easiest)
Option 2: GitHub CLI gh run download 27082137676 --repo smart-mcp-proxy/mcpproxy-go
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Model B "merge without
--admin" — lands PRs through GitHub auto-merge once every required check is green; agents arm the merge, never bypass a check (enforce_adminsstaysfalseas an emergency hatch only).MCP-1248 (original)
.github/workflows/qa-gate-trivial.yml— auto-postqa-gate=successfor non-code PRs (docs/CI/metadata); code PRs left to the real QATester..github/workflows/dependabot-auto-merge.yml—github-actions[bot]approves + arms auto-merge for patch/minor; majors need a human.scripts/arm-auto-merge.sh— manual/PAT fallback for code PRs (Option A).MCP-1249 — Task B "missing wire" (added in 608c710)
.github/workflows/arm-auto-merge.yml— Option B, no new credential.repository_dispatch(event_type: arm-auto-merge) +workflow_dispatch, runs inside Actions under the built-inGITHUB_TOKEN(github-actions[bot]). Re-checks PR head SHA (spec-075 drift guard) +qa-gate=success, posts the approving review (reflecting the Paperclip ACCEPT verdict — counts towardrequired_approving_review_count) and armsgh pr merge --auto --squash. Closes the "GitHub sees 0 approvals" gap with no PAT and no--admin.docs/qa-merge-gate.md— documents both paths + the cockpit dispatch contract.Dispatch contract (cockpit Gate-3 Approve fires, using its existing gh login):
Out of this repo's lane
Cockpit-side wiring of the Gate-3 Approve button to fire the dispatch lives in the Paperclip control-plane, tracked as a follow-up (MCP-1249 child). This repo provides the receiving workflow + contract.
actionlintclean. Diff is CI/docs/scripts only (no code-bearing paths) →qa-gate-trivialauto-passes.