From 500d4a1354442a92d96934960d3d4402c5716fa2 Mon Sep 17 00:00:00 2001
From: Hongming Wang <hongmingwangrabbit@gmail.com>
Date: Mon, 27 Apr 2026 06:46:24 -0700
Subject: [PATCH] docs: add disable-auto-merge-on-push to README
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Documents the new reusable workflow shipped in PR #10:
- Caller pattern (~10 lines per consuming repo) under Usage
- Full description in "What each workflow validates" — explains the
  2026-04-27 motivation, the org-wide repo setting it pairs with,
  and the false-positive note for CI bot pushes

Companion to molecule-core CONTRIBUTING.md update (PR #2177) which
documents the contract from the developer's perspective. Both must
land for the safety guards to be discoverable from where teams read.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 README.md | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/README.md b/README.md
index 03e5d3b..b7415c0 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,25 @@ jobs:
     uses: Molecule-AI/molecule-ci/.github/workflows/validate-org-template.yml@main
 ```
 
+### Any repo with auto-merge enabled
+
+PR-time guards (currently: disable auto-merge on follow-up push). Consume from a thin caller:
+
+```yaml
+# .github/workflows/pr-guards.yml
+name: pr-guards
+on:
+  pull_request:
+    types: [synchronize]
+permissions:
+  pull-requests: write
+jobs:
+  disable-auto-merge-on-push:
+    uses: Molecule-AI/molecule-ci/.github/workflows/disable-auto-merge-on-push.yml@main
+```
+
+When the team lands more PR-time guards in this repo, add them as additional jobs in the same caller — keeps each consuming repo's footprint to one file.
+
 ## What each workflow validates
 
 ### validate-plugin
@@ -74,6 +93,21 @@ jobs:
 | `template_schema_version` present | Warning | Missing version contract |
 | No committed secrets | Error | Leaked API keys |
 
+### disable-auto-merge-on-push
+
+PR-time safety guard. When `pull_request:synchronize` fires (= a new commit pushed to an open PR) and auto-merge is already enabled, this workflow disables auto-merge and posts a comment requiring the operator to re-engage explicitly.
+
+**Why it exists:** on 2026-04-27, molecule-core PR #2174 auto-merged with only its first commit because the second commit was pushed AFTER the merge queue had locked the PR's SHA. The second commit ended up orphaned on a merged-and-deleted branch.
+
+**Pairs with the org-wide repo setting** "Automatically delete head branches" (already enabled on all 10 Molecule-AI repos). Defense in depth:
+
+1. Repo setting blocks pushes to a merged-and-deleted branch (catches the post-merge orphan case).
+2. This workflow catches the in-queue race (push during queue processing) by force-disabling auto-merge.
+
+Together they cover the full lifecycle of "auto-merge enabled → new commits arrive" without operator discipline.
+
+**False-positive note:** if a CI bot pushes (dependency update, secret rotation), this also disables auto-merge. That's intentional — the operator who originally enabled auto-merge gets notified and re-engages, which is exactly the verify-after-machine-edits behavior we want.
+
 ## License
 
 Business Source License 1.1 — © Molecule AI.