From 643e75f60fae74873b4bd58ba6f6ae68e1ad272c Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <sebastian.mendel@netresearch.de>
Date: Fri, 24 Apr 2026 10:44:25 +0200
Subject: [PATCH 1/3] fix(checkpoints): GH-24..27 accept reusable-workflow
 delegation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The netresearch org publishes a reusable auto-merge workflow at
netresearch/.github/.github/workflows/auto-merge-deps.yml that
encapsulates the trigger, bot-gating, --auto merging, and dynamic
merge-strategy detection. Many project repos now use a thin caller:

    jobs:
      auto-merge:
        uses: netresearch/.github/.github/workflows/auto-merge-deps.yml@main

Before this change:
- GH-24 required pull_request_target: in the caller file, but the
  reusable workflow uses pull_request: (correct for workflow_call).
- GH-25/26/27 required inline bot-gating, --auto, and gh-api strategy
  detection — all provided by the reusable workflow.

After: all four checkpoints accept either (a) delegation to the
reusable workflow or (b) the original inline implementation with
pull_request_target.

Verified: against netresearch/t3x-nr-llm, which delegates via
uses:, all four now pass instead of erroring.
Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
---
 skills/github-project/checkpoints.yaml | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/skills/github-project/checkpoints.yaml b/skills/github-project/checkpoints.yaml
index fc05991..8decf0a 100644
--- a/skills/github-project/checkpoints.yaml
+++ b/skills/github-project/checkpoints.yaml
@@ -139,33 +139,42 @@ mechanical:
     severity: warning
     desc: "Auto-merge workflow should exist for Dependabot/Renovate PRs"
 
+  # Auto-merge workflows can either:
+  #   (a) delegate to the netresearch org reusable workflow
+  #       (netresearch/.github/.github/workflows/auto-merge-deps.yml), which
+  #       encapsulates the trigger, bot-gating, --auto merging, and dynamic
+  #       merge-strategy detection; or
+  #   (b) inline the full implementation with pull_request_target: + the
+  #       same bot-gating and --auto patterns.
+  # GH-24..27 accept either path.
+
   - id: GH-24
     type: regex
     target: .github/workflows/auto-merge-deps.yml
-    pattern: 'on:\s*\n\s*pull_request_target:'
+    pattern: 'uses:\s*netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|on:\s*\n\s*pull_request_target:'
     severity: error
-    desc: "Auto-merge workflow must use pull_request_target trigger (not pull_request) for bot PR write permissions"
+    desc: "Auto-merge workflow must delegate to netresearch reusable workflow OR use pull_request_target trigger for bot PR write permissions"
 
   - id: GH-25
     type: regex
     target: .github/workflows/auto-merge-deps.yml
-    pattern: 'github\.event\.pull_request\.user\.login'
+    pattern: 'uses:\s*netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|github\.event\.pull_request\.user\.login'
     severity: warning
-    desc: "Auto-merge should check github.event.pull_request.user.login (not github.actor which changes on reruns)"
+    desc: "Auto-merge should delegate to reusable workflow OR check github.event.pull_request.user.login (not github.actor which changes on reruns)"
 
   - id: GH-26
     type: regex
     target: .github/workflows/auto-merge-deps.yml
-    pattern: '--auto'
+    pattern: 'uses:\s*netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|--auto'
     severity: warning
-    desc: "Auto-merge should use gh pr merge --auto (not direct merge) to respect branch protection and merge queues"
+    desc: "Auto-merge should delegate to reusable workflow OR use gh pr merge --auto to respect branch protection and merge queues"
 
   - id: GH-27
     type: regex
     target: .github/workflows/auto-merge-deps.yml
-    pattern: 'gh api.*repos/\$'
+    pattern: 'uses:\s*netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|gh api.*repos/\$'
     severity: info
-    desc: "Auto-merge should dynamically detect merge strategy from repo settings"
+    desc: "Auto-merge should delegate to reusable workflow OR dynamically detect merge strategy from repo settings"
 
   # === AUTO-APPROVE (pr-quality.yml) COPILOT RACE CONDITION ===
   - id: GH-33

From 74e5171d70fd1f1863e210fbe86a845de90d37c2 Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <sebastian.mendel@netresearch.de>
Date: Fri, 24 Apr 2026 11:24:29 +0200
Subject: [PATCH 2/3] fix(checkpoints): GH-24..27 allow quoted uses: +
 auto-merge.yml glob

Two review-driven fixes addressing 12 inline comments from
copilot-pull-request-reviewer and gemini-code-assist:

1. **Optional quoting after uses:** YAML allows uses: foo,
   uses: 'foo', and uses: "foo". The previous regex only matched the
   unquoted form, so a perfectly-correct quoted reusable-workflow
   delegation would fail. Pattern updated to allow optional ' or "
   after the colon+whitespace.

2. **auto-merge.yml as alternate filename**: GH-23 already accepts
   either auto-merge-deps.yml or auto-merge.yml, but GH-24..27
   targeted only auto-merge-deps.yml. Repos using auto-merge.yml
   would error on missing-target. Switched target to glob
   .github/workflows/auto-merge*.yml so both filenames work.

Verified against:
- netresearch/t3x-nr-llm (auto-merge-deps.yml, unquoted uses): pass
- fabricated auto-merge.yml fixture with quoted uses: pass

Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
---
 skills/github-project/checkpoints.yaml | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/skills/github-project/checkpoints.yaml b/skills/github-project/checkpoints.yaml
index 8decf0a..2e6090d 100644
--- a/skills/github-project/checkpoints.yaml
+++ b/skills/github-project/checkpoints.yaml
@@ -148,31 +148,35 @@ mechanical:
   #       same bot-gating and --auto patterns.
   # GH-24..27 accept either path.
 
+  # Patterns allow optional quoting after `uses:` (YAML accepts uses: foo,
+  # uses: 'foo', uses: "foo"). Glob target accepts either auto-merge-deps.yml
+  # or auto-merge.yml (GH-23 already treats both as valid filenames).
+
   - id: GH-24
     type: regex
-    target: .github/workflows/auto-merge-deps.yml
-    pattern: 'uses:\s*netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|on:\s*\n\s*pull_request_target:'
+    target: .github/workflows/auto-merge*.yml
+    pattern: 'uses:[[:space:]]*["'\'']?netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|on:[[:space:]]*\n[[:space:]]*pull_request_target:'
     severity: error
     desc: "Auto-merge workflow must delegate to netresearch reusable workflow OR use pull_request_target trigger for bot PR write permissions"
 
   - id: GH-25
     type: regex
-    target: .github/workflows/auto-merge-deps.yml
-    pattern: 'uses:\s*netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|github\.event\.pull_request\.user\.login'
+    target: .github/workflows/auto-merge*.yml
+    pattern: 'uses:[[:space:]]*["'\'']?netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|github\.event\.pull_request\.user\.login'
     severity: warning
     desc: "Auto-merge should delegate to reusable workflow OR check github.event.pull_request.user.login (not github.actor which changes on reruns)"
 
   - id: GH-26
     type: regex
-    target: .github/workflows/auto-merge-deps.yml
-    pattern: 'uses:\s*netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|--auto'
+    target: .github/workflows/auto-merge*.yml
+    pattern: 'uses:[[:space:]]*["'\'']?netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|--auto'
     severity: warning
     desc: "Auto-merge should delegate to reusable workflow OR use gh pr merge --auto to respect branch protection and merge queues"
 
   - id: GH-27
     type: regex
-    target: .github/workflows/auto-merge-deps.yml
-    pattern: 'uses:\s*netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|gh api.*repos/\$'
+    target: .github/workflows/auto-merge*.yml
+    pattern: 'uses:[[:space:]]*["'\'']?netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|gh api.*repos/\$'
     severity: info
     desc: "Auto-merge should delegate to reusable workflow OR dynamically detect merge strategy from repo settings"
 

From b43b2d5294d2f8ead5e64c40cdae1b17f0cfdd30 Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <sebastian.mendel@netresearch.de>
Date: Fri, 24 Apr 2026 11:37:16 +0200
Subject: [PATCH 3/3] fix(checkpoints): drop uses: prefix in regex to keep YAML
 valid + match quoted
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous fix used 'uses:[[:space:]]*["'\'']?...' which generated a
yamllint syntax error (single-quoted YAML can't embed lone ' that way).

Switch to matching just the unique netresearch reusable-workflow path
without the uses:-prefix wrapper. The path string is unique enough that
'uses: foo', 'uses: "foo"', and 'uses: '\''foo'\''' all match
identically — quoting around the path is irrelevant to whether the
delegation exists. Cleaner regex, no YAML escape issues.

Verified against:
- nr-llm (unquoted uses): all 4 pass
- fabricated quoted uses + auto-merge.yml: all 4 pass
- yamllint: clean

Signed-off-by: Sebastian Mendel <sebastian.mendel@netresearch.de>
---
 skills/github-project/checkpoints.yaml | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/skills/github-project/checkpoints.yaml b/skills/github-project/checkpoints.yaml
index 2e6090d..ff0601a 100644
--- a/skills/github-project/checkpoints.yaml
+++ b/skills/github-project/checkpoints.yaml
@@ -152,31 +152,34 @@ mechanical:
   # uses: 'foo', uses: "foo"). Glob target accepts either auto-merge-deps.yml
   # or auto-merge.yml (GH-23 already treats both as valid filenames).
 
+  # The netresearch reusable-workflow path is unique enough to match without
+  # caring about uses:-line quoting (uses: foo, uses: 'foo', uses: "foo" all
+  # contain the netresearch/... substring identically).
   - id: GH-24
     type: regex
     target: .github/workflows/auto-merge*.yml
-    pattern: 'uses:[[:space:]]*["'\'']?netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|on:[[:space:]]*\n[[:space:]]*pull_request_target:'
+    pattern: 'netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|on:[[:space:]]*\n[[:space:]]*pull_request_target:'
     severity: error
     desc: "Auto-merge workflow must delegate to netresearch reusable workflow OR use pull_request_target trigger for bot PR write permissions"
 
   - id: GH-25
     type: regex
     target: .github/workflows/auto-merge*.yml
-    pattern: 'uses:[[:space:]]*["'\'']?netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|github\.event\.pull_request\.user\.login'
+    pattern: 'netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|github\.event\.pull_request\.user\.login'
     severity: warning
     desc: "Auto-merge should delegate to reusable workflow OR check github.event.pull_request.user.login (not github.actor which changes on reruns)"
 
   - id: GH-26
     type: regex
     target: .github/workflows/auto-merge*.yml
-    pattern: 'uses:[[:space:]]*["'\'']?netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|--auto'
+    pattern: 'netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|--auto'
     severity: warning
     desc: "Auto-merge should delegate to reusable workflow OR use gh pr merge --auto to respect branch protection and merge queues"
 
   - id: GH-27
     type: regex
     target: .github/workflows/auto-merge*.yml
-    pattern: 'uses:[[:space:]]*["'\'']?netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|gh api.*repos/\$'
+    pattern: 'netresearch/\.github/\.github/workflows/auto-merge-deps\.yml|gh api.*repos/\$'
     severity: info
     desc: "Auto-merge should delegate to reusable workflow OR dynamically detect merge strategy from repo settings"