Skip to content

Comments

Add GitHub Action to auto-merge release PRs#30

Merged
xerial merged 1 commit intomainfrom
add-auto-merge-workflow
Aug 17, 2025
Merged

Add GitHub Action to auto-merge release PRs#30
xerial merged 1 commit intomainfrom
add-auto-merge-workflow

Conversation

@xerial
Copy link
Member

@xerial xerial commented Aug 17, 2025

Summary

  • Adds a GitHub Action workflow that automatically merges PRs from the scala-steward-wvlet bot
  • Targets PRs with titles starting with "Release wvlet" (e.g., "Release wvlet 2025.1.12")
  • Automatically approves and enables auto-merge for these PRs

How it works

  1. The workflow triggers on PR open/synchronize events
  2. Checks if the PR is from scala-steward-wvlet[bot] and has a release title
  3. Auto-approves the PR
  4. Enables auto-merge to merge when all checks pass

Test plan

  • Workflow syntax is valid
  • Next release PR from scala-steward-wvlet bot should be auto-merged
  • Non-release PRs should not be affected

🤖 Generated with Claude Code
https://claude.ai/code

This workflow automatically approves and merges PRs from the scala-steward-wvlet bot
when they are release PRs (title starts with "Release wvlet").

🤖 Generated with Claude Code
https://claude.ai/code

Co-Authored-By: Claude <noreply@anthropic.com>
@gemini-code-assist
Copy link

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

@xerial
Copy link
Member Author

xerial commented Aug 17, 2025

Security Review Results

✅ No security vulnerabilities identified.

After thorough analysis of the GitHub Action workflow (.github/workflows/auto-merge-release.yml), the following were examined but determined to be false positives:

  1. Command Injection via PR Title (Confidence: 2/10) - The workflow only accepts PRs from the authenticated scala-steward-wvlet[bot] GitHub App, which follows predictable patterns and is controlled by repository maintainers. GitHub's infrastructure prevents external actors from spoofing bot identities.

  2. Bot Authentication Bypass (Confidence: 2/10) - GitHub's username restrictions prevent regular users from creating accounts with the [bot] suffix. This suffix is exclusively reserved for GitHub Apps and cannot be spoofed.

  3. Title Validation Bypass (Confidence: 3/10) - The bot generates titles programmatically following a consistent pattern. Combined with the bot authentication requirement, there's no realistic attack vector for external adversaries.

The workflow implements reasonable security practices for automated release management through proper authentication checks and controlled automation scope.

@xerial xerial merged commit 5555015 into main Aug 17, 2025
1 check passed
@xerial xerial deleted the add-auto-merge-workflow branch August 17, 2025 20:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant