d5caaac219
Reusable workflow that consumers call from their pr-guards.yml on pull_request:synchronize. When a new commit is pushed to an open PR that has auto-merge enabled, this disables auto-merge and posts a comment so the operator must explicitly re-engage after verifying. Background: on 2026-04-27, PR #2174 in molecule-core auto-merged with only the first commit because the second commit was pushed AFTER the merge queue had locked the PR's SHA. The second commit ended up orphaned on a merged-and-deleted branch (the wider "automatically delete head branches" repo setting now blocks the push entirely; this workflow catches the race window where the PR is queued but not yet merged). Defense in depth — if both fixes are active: 1. Repo setting "delete branch on merge" prevents pushes to a merged branch (post-merge orphan case). 2. This workflow catches in-queue races (push lands while the queue is processing) by force-disabling auto-merge so the operator must re-engage explicitly. Together they cover the full lifecycle of "auto-merge enabled → new commits arrive" without relying on operator discipline. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| auto-promote-staging.yml | ||
| disable-auto-merge-on-push.yml | ||
| publish-template-image.yml | ||
| validate-org-template.yml | ||
| validate-plugin.yml | ||
| validate-workspace-template.yml | ||