Add GitHub Action to auto-merge release PRs

[xerial]

Summary

• Adds a GitHub Action workflow that automatically merges PRs from the scala-steward-wvlet bot
• Targets PRs with titles starting with "Release wvlet" (e.g., "Release wvlet 2025.1.12")
• Automatically approves and enables auto-merge for these PRs

How it works

1. The workflow triggers on PR open/synchronize events
2. Checks if the PR is from scala-steward-wvlet[bot] and has a release title
3. Auto-approves the PR
4. Enables auto-merge to merge when all checks pass

Test plan

• Workflow syntax is valid
• Next release PR from scala-steward-wvlet bot should be auto-merged
• Non-release PRs should not be affected

🤖 Generated with Claude Code
https://claude.ai/code

[gemini-code-assist]

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

[xerial]

Security Review Results

✅ No security vulnerabilities identified.

After thorough analysis of the GitHub Action workflow (.github/workflows/auto-merge-release.yml), the following were examined but determined to be false positives:

1. Command Injection via PR Title (Confidence: 2/10) - The workflow only accepts PRs from the authenticated scala-steward-wvlet[bot] GitHub App, which follows predictable patterns and is controlled by repository maintainers. GitHub's infrastructure prevents external actors from spoofing bot identities.

2. Bot Authentication Bypass (Confidence: 2/10) - GitHub's username restrictions prevent regular users from creating accounts with the [bot] suffix. This suffix is exclusively reserved for GitHub Apps and cannot be spoofed.

3. Title Validation Bypass (Confidence: 3/10) - The bot generates titles programmatically following a consistent pattern. Combined with the bot authentication requirement, there's no realistic attack vector for external adversaries.

The workflow implements reasonable security practices for automated release management through proper authentication checks and controlled automation scope.