From 1d42039850e8851c7480fc3f0fe0ab864684c23a Mon Sep 17 00:00:00 2001 From: Sebastien Tardif Date: Mon, 22 Jun 2026 16:19:22 -0700 Subject: [PATCH 1/2] docs: capture auto-approve self-modification lesson and other session learnings Signed-off-by: Sebastien Tardif --- AGENTS.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/AGENTS.md b/AGENTS.md index 0518e23..8eda00b 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -133,6 +133,13 @@ All I/O-dependent functions accept an `inputs` object with injectable callbacks changes are ready for review/merge. This ensures every pushed branch is backed by an open (draft) PR from the start. See `~/.grok/skills/owned-repo-gate/SKILL.md`. +- **Auto-approve self-modification gotcha:** PRs that change `.github/workflows/auto-approve.yml` + often cause the Auto-approve workflow to only emit "push" validation runs (0 jobs, failure). + No review is added via the normal `pull_request` path → REVIEW_REQUIRED / BLOCKED + despite green checks. Temporary fix: add yourself as bypass actor in the ruleset, + `gh pr merge --admin`, **immediately** remove the bypass. The `require_last_push_approval` + rule can still force `--admin` even with bypass. See ci-branch-protection skill + #159. + ## Release PRs - Strong Guard Release PRs (created by release-please, titled "chore: release ..." or "chore(main): release ...", or labeled `autorelease: pending`) MUST NEVER be merged (with `gh pr merge`, `--auto`, or otherwise) without the user's explicit approval. From b54c0dd06a26c5b91fba0bc964393013886106bf Mon Sep 17 00:00:00 2001 From: Sebastien Tardif Date: Mon, 22 Jun 2026 16:30:29 -0700 Subject: [PATCH 2/2] ci: harden auto-approve against self-modification (handle #159) - Make wf-changes detection resilient (|| echo) so it cannot fail the job after the approve step has run. - Use || echo on enable auto-merge (pattern from patchloom) so the workflow run succeeds even on GITHUB_TOKEN fallback for workflow-touching PRs. - Approval step remains early and unconditional for trusted actors. - Update AGENTS.md gotcha note with the resilience details and reference to patchloom + ci-branch-protection. This ensures reviews are submitted (when PR events run the main definition) and Auto-approve check reports success for such infra PRs. Fixes #159 Signed-off-by: Sebastien Tardif --- .github/workflows/auto-approve.yml | 10 +++++++--- AGENTS.md | 15 +++++++++------ 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index 7857a24..a894ce9 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -34,14 +34,16 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: gh pr review --approve "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" - # Check for workflow file changes early (to decide whether we can safely use App token for auto-merge) + # Check for workflow file changes early (to decide whether we can safely use App token for auto-merge). + # This step is made robust so a transient gh failure does not fail the job (approve step already ran). - name: Check for workflow file changes (use GITHUB_TOKEN fallback to avoid needing workflows:write on App) id: wf-changes env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | pr="${{ github.event.pull_request.number }}" - if gh pr view "$pr" --json files --jq '.files[].path' | grep -q '^\.github/workflows/'; then + files=$(gh pr view "$pr" --json files --jq '.files[].path' || echo "") + if echo "$files" | grep -q '^\.github/workflows/'; then echo "changes=true" >> "$GITHUB_OUTPUT" echo "PR touches .github/workflows/; will use GITHUB_TOKEN for auto-merge (no workflows:write needed on App)" else @@ -79,4 +81,6 @@ jobs: steps.release-guard.outputs.is_release_pr != 'true' env: GH_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }} - run: gh pr merge --auto --squash "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" + run: | + gh pr merge --auto --squash "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" \ + || echo "Could not enable auto-merge (common when PR modifies .github/workflows/* using GITHUB_TOKEN fallback, or release guard, or other). Approval from prior step still applies; use manual merge if needed." diff --git a/AGENTS.md b/AGENTS.md index 8eda00b..7f87c19 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -133,12 +133,15 @@ All I/O-dependent functions accept an `inputs` object with injectable callbacks changes are ready for review/merge. This ensures every pushed branch is backed by an open (draft) PR from the start. See `~/.grok/skills/owned-repo-gate/SKILL.md`. -- **Auto-approve self-modification gotcha:** PRs that change `.github/workflows/auto-approve.yml` - often cause the Auto-approve workflow to only emit "push" validation runs (0 jobs, failure). - No review is added via the normal `pull_request` path → REVIEW_REQUIRED / BLOCKED - despite green checks. Temporary fix: add yourself as bypass actor in the ruleset, - `gh pr merge --admin`, **immediately** remove the bypass. The `require_last_push_approval` - rule can still force `--admin` even with bypass. See ci-branch-protection skill + #159. +- **Auto-approve self-modification:** PRs that change `.github/workflows/auto-approve.yml` + cause GitHub to emit only "push" validation runs (0 jobs, failure) using the PR's workflow content + (the pull_request runs use the definition from main). The approve step runs early using + GITHUB_TOKEN (before wf-changes detection or merge logic) so reviews are added when the + pull_request workflow runs from main. The Enable auto-merge step uses `|| echo` so the + workflow reports success even when merge enable falls back or is restricted. In rare cases + where no review appears, use the emergency bypass in ci-branch-protection skill + #159 + (add bypass actor, `gh pr merge --admin`, remove bypass immediately). See also patchloom's + auto-approve.yml for the reference pattern. ## Release PRs - Strong Guard