From 82b366fce52fc4cb90bbc5aef25bfbe6b15acc2c Mon Sep 17 00:00:00 2001 From: Hongming Wang Date: Mon, 27 Apr 2026 06:39:31 -0700 Subject: [PATCH] ci: add pr-guards caller that disables auto-merge on push MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Thin caller for molecule-ci's reusable disable-auto-merge-on-push workflow. Forces operator re-engagement when a commit is pushed to an open PR with auto-merge already enabled. Pairs with the org-wide "Automatically delete head branches" repo setting (also enabled today). Defense in depth: 1. Repo setting blocks pushes to a merged-and-deleted branch (post-merge orphan case — what bit #2174 today: my second commit landed on an already-merged-and-deleted branch). 2. This workflow catches in-queue races (push lands while the merge queue is processing) by disabling auto-merge so the operator must explicitly re-engage. Together they cover the full lifecycle of "auto-merge enabled → new commits arrive" without relying on operator discipline. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/pr-guards.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/pr-guards.yml diff --git a/.github/workflows/pr-guards.yml b/.github/workflows/pr-guards.yml new file mode 100644 index 00000000..29645b58 --- /dev/null +++ b/.github/workflows/pr-guards.yml @@ -0,0 +1,22 @@ +name: pr-guards + +# Thin caller that delegates to the molecule-ci reusable guard. Today +# the guard is just "disable auto-merge when a new commit is pushed +# after auto-merge was enabled" — added 2026-04-27 after PR #2174 +# auto-merged with only its first commit because the second commit +# was pushed after the merge queue had locked the PR's SHA. +# +# When more PR-time guards land in molecule-ci, add them here as +# additional jobs that share the same pull_request:synchronize +# trigger. + +on: + pull_request: + types: [synchronize] + +permissions: + pull-requests: write + +jobs: + disable-auto-merge-on-push: + uses: Molecule-AI/molecule-ci/.github/workflows/disable-auto-merge-on-push.yml@main