feat: add qyl-continuation plugin (smart auto-continuation, v1.0.0) (#158) #950
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Auto-merge workflow for trusted PRs - Maximum Autonomy | |
| # | |
| # Tiers: | |
| # 1a. Dependabot PRs: Auto-approve + auto-merge for patch/minor | |
| # 1b. Renovate PRs: Auto-approve + auto-merge | |
| # 2. AI Agent fix PRs (copilot/, claude/): Auto-merge when CI passes | |
| # 3. CodeRabbit/Claude/Codex approved PRs: Auto-merge when CI passes | |
| # | |
| # Requirements: | |
| # - Repo setting "Allow auto-merge" must be enabled | |
| # - Branch protection bypass for bot accounts in Rulesets | |
| # | |
| # Security: All external inputs are passed via env: to prevent code injection | |
| name: Auto-merge | |
| on: | |
| pull_request_target: | |
| types: [ opened, synchronize, reopened, ready_for_review ] | |
| pull_request_review: | |
| types: [ submitted ] | |
| check_suite: | |
| types: [ completed ] | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| jobs: | |
| # Tier 1a: Auto-approve and auto-merge Dependabot PRs | |
| dependabot-auto-merge: | |
| name: Dependabot auto-merge | |
| runs-on: ubuntu-latest | |
| if: github.actor == 'dependabot[bot]' | |
| steps: | |
| - name: Fetch Dependabot metadata | |
| id: metadata | |
| uses: dependabot/fetch-metadata@v2 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Auto-approve patch and minor updates | |
| if: steps.metadata.outputs.update-type != 'version-update:semver-major' | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh pr review --approve "$PR_URL" | |
| - name: Enable auto-merge for patch and minor | |
| if: steps.metadata.outputs.update-type != 'version-update:semver-major' | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh pr merge --auto --squash "$PR_URL" | |
| - name: Comment on major updates | |
| if: steps.metadata.outputs.update-type == 'version-update:semver-major' | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| DEP_NAMES: ${{ steps.metadata.outputs.dependency-names }} | |
| PREV_VERSION: ${{ steps.metadata.outputs.previous-version }} | |
| NEW_VERSION: ${{ steps.metadata.outputs.new-version }} | |
| run: | | |
| gh pr comment "$PR_URL" --body "## ⚠️ Major Version Update | |
| This is a **major version update** that may contain breaking changes. | |
| **Manual review required.** Please: | |
| 1. Check the changelog for breaking changes | |
| 2. Test locally if needed | |
| 3. Approve and merge manually | |
| Dependency: \`$DEP_NAMES\` | |
| Update: \`$PREV_VERSION\` → \`$NEW_VERSION\`" | |
| # Tier 1b: Auto-merge Renovate PRs | |
| renovate-auto-merge: | |
| name: Renovate auto-merge | |
| runs-on: ubuntu-latest | |
| if: github.actor == 'renovate[bot]' | |
| steps: | |
| - name: Auto-approve Renovate PRs | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh pr review --approve "$PR_URL" | |
| - name: Enable auto-merge for Renovate | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh pr merge --auto --squash "$PR_URL" | |
| # Tier 2: Auto-merge AI agent fix PRs (Copilot, Claude) | |
| ai-agent-auto-merge: | |
| name: AI Agent auto-merge | |
| runs-on: ubuntu-latest | |
| if: | | |
| startsWith(github.event.pull_request.head.ref, 'copilot/') || | |
| startsWith(github.event.pull_request.head.ref, 'claude/') | |
| steps: | |
| # SECURITY: Pass branch name via env to prevent code injection (CWE-94) | |
| - name: Identify AI agent | |
| id: agent | |
| env: | |
| BRANCH: ${{ github.event.pull_request.head.ref }} | |
| run: | | |
| if [[ "$BRANCH" == copilot/* ]]; then | |
| echo "agent=Copilot" >> "$GITHUB_OUTPUT" | |
| elif [[ "$BRANCH" == claude/* ]]; then | |
| echo "agent=Claude" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Auto-approve AI agent PRs | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| AGENT: ${{ steps.agent.outputs.agent }} | |
| run: | | |
| echo "Auto-approving $AGENT PR" | |
| gh pr review --approve "$PR_URL" --body "✅ Auto-approved: $AGENT autonomous fix PR" | |
| - name: Enable auto-merge for AI agent PRs | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh pr merge --auto --squash "$PR_URL" | |
| # Tier 3a: Auto-merge PRs approved by CodeRabbit | |
| coderabbit-auto-merge: | |
| name: CodeRabbit auto-merge | |
| runs-on: ubuntu-latest | |
| if: | | |
| github.event_name == 'pull_request_review' && | |
| github.event.review.state == 'approved' && | |
| github.event.review.user.login == 'coderabbitai[bot]' | |
| steps: | |
| - name: Enable auto-merge for CodeRabbit approved PRs | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| echo "CodeRabbit approved PR #$PR_NUMBER" | |
| gh pr merge --auto --squash "$PR_URL" | |
| # Tier 3b: Auto-merge PRs approved by Claude | |
| # SECURITY: Requires github-actions[bot] to prevent spoofing by humans | |
| claude-approved-auto-merge: | |
| name: Claude approved auto-merge | |
| runs-on: ubuntu-latest | |
| if: | | |
| github.event_name == 'pull_request_review' && | |
| github.event.review.state == 'approved' && | |
| github.event.review.user.login == 'github-actions[bot]' && | |
| contains(github.event.review.body, '## Claude Code Review') | |
| steps: | |
| - name: Enable auto-merge for Claude approved PRs | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| echo "Claude approved PR #$PR_NUMBER" | |
| gh pr merge --auto --squash "$PR_URL" | |
| # Tier 3c: Auto-merge PRs approved by Codex | |
| # SECURITY: Requires github-actions[bot] to prevent spoofing by humans | |
| codex-approved-auto-merge: | |
| name: Codex approved auto-merge | |
| runs-on: ubuntu-latest | |
| if: | | |
| github.event_name == 'pull_request_review' && | |
| github.event.review.state == 'approved' && | |
| github.event.review.user.login == 'github-actions[bot]' && | |
| contains(github.event.review.body, '## Codex Review') | |
| steps: | |
| - name: Enable auto-merge for Codex approved PRs | |
| env: | |
| PR_URL: ${{ github.event.pull_request.html_url }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| run: | | |
| echo "Codex approved PR #$PR_NUMBER" | |
| gh pr merge --auto --squash "$PR_URL" |