Move auto-merge into CI workflow as job dependency

[manana2520]

Summary

• The standalone auto-merge.yml workflow never fired because GitHub's security restriction prevents GITHUB_TOKEN-triggered events (AI/security reviewer approvals) from starting new workflow runs
• Moved auto-merge as a job inside ci.yml that depends on e2e-tests-staging via needs: — uses job dependency instead of event-based triggering
• Deleted the broken standalone auto-merge.yml
• Matches the pattern used in employee-provisioning repo where this works correctly

Test plan

• This PR itself should auto-merge after e2e tests pass (self-testing)
• Verify auto-merge job appears in CI pipeline after e2e-tests-staging

[github-actions]

LGTM. This PR correctly addresses a common GitHub Actions limitation where workflows triggered by GITHUB_TOKEN (e.g., AI/security review approvals) cannot, by default, trigger new workflow runs. By moving the auto-merge logic into the existing ci.yml as a job that needs the e2e-tests-staging job, it becomes part of the same workflow run triggered by the original pull_request event. This allows the GITHUB_TOKEN to function with the necessary pull-requests: write permission.

The logic for the auto-merge job is sound:

• It explicitly needs: e2e-tests-staging, ensuring it only runs after successful E2E tests.
• The if condition always() && needs.e2e-tests-staging.result == 'success' && github.event_name == 'pull_request' is robust, ensuring it runs only for PRs and specifically when E2E tests pass, even if upstream jobs have a mixed outcome (due to always()).
• The permissions are correctly scoped (contents: write, pull-requests: write).
• The gh pr merge --auto --squash command is the appropriate way to enable auto-merge, which will then wait for any remaining required checks (like human approvals) before merging.

This change aligns with best practices for handling GITHUB_TOKEN permissions in GitHub Actions and solves the stated problem effectively. The self-testing plan for this PR is an excellent way to verify the fix.

[github-actions]

🔒 Security Review

Security Score: A | 2 INFO

Security Review: Auto-Merge CI Workflow Migration

Decision: APPROVE ✅

This PR successfully resolves the broken auto-merge workflow by moving it from an event-based trigger to a job dependency within the CI pipeline. The security analysis finds no vulnerabilities.

Key Security Findings

✅ Access Control (A01) - PASS

• Auto-merge job correctly gates on github.event_name == 'pull_request' (line 331)
• Prevents auto-merge from running on push events to main
• Dependency on e2e-tests-staging ensures all gates pass before merge
• Required permissions are minimally scoped: contents: write, pull-requests: write

✅ Credentials & Secrets (A02) - PASS

• Uses secrets.GITHUB_TOKEN (standard GitHub-provided token, not custom secret)
• No hardcoded credentials in workflow logic
• GITHUB_TOKEN permissions are appropriately limited to PR/content write scope
• Token is not logged or exposed in any step

✅ Workflow Design - PASS

• Deletion of .github/workflows/auto-merge.yml eliminates the broken event-based trigger
• Job dependency pattern (needs: e2e-tests-staging) is more reliable than event-based triggering
• Matches proven pattern from employee-provisioning repo
• Self-healing: PR will auto-merge after e2e tests pass, validating the fix

✅ GitHub Token Security

• Uses gh pr merge CLI (GitHub's official tool) rather than REST API
• Token scope is restricted by runner environment
• No risk of token exfiltration via logs (GitHub masks secret values)

Threat Model Assessment

Previous Vulnerability (Fixed):

• Standalone auto-merge.yml could never fire due to GitHub's security restriction on GITHUB_TOKEN-triggered events
• This created a broken gate that appeared to pass but never executed

New Design (Secure):

• Job dependency model has no timing window for race conditions
• Auto-merge executes only if: (1) e2e tests succeed AND (2) all branch protection rules pass AND (3) event is PR (not push)
• No external event coordination required

Compliance with Repository Security Standards

This PR preserves all security patterns documented in the repository context:

• ✅ No credential exposure
• ✅ No logging of sensitive operations
• ✅ Maintains GitHub token least-privilege
• ✅ Respects branch protection rules
• ✅ No removal of security controls

Testing Notes

The PR description indicates self-testing: "This PR itself should auto-merge after e2e tests pass" — this is a valid validation approach for CI workflow changes.

Recommendation

APPROVE — This is a straightforward, security-preserving fix that resolves a broken workflow using a better architectural pattern. No security concerns identified.

Findings

🔵 [INFO] Auto-merge job uses gh pr merge with --auto flag which queues auto-merge but does not immediately merge. This is a design choice, not a security flaw.

File: .github/workflows/ci.yml:line 338
Category: A04_insecure_design
Impact: No immediate security impact. The auto-merge will execute once all required checks pass, maintaining the intended workflow protection.
Recommendation: No action required. This is the correct pattern for GitHub's auto-merge feature.

🔵 [INFO] Auto-merge job correctly restricts to PRs only (github.event_name == 'pull_request') and requires e2e-tests to pass before executing.

File: .github/workflows/ci.yml:line 331
Category: A01_access_control
Impact: Positive security control - prevents unwanted merges on push events and ensures test gate is satisfied.
Recommendation: No action required. Access control is properly configured.

OWASP Top 10 Checklist

Category	Status
A01 Access Control	✅ PASS
A02 Crypto Failures	✅ PASS
A03 Injection	✅ PASS
A04 Insecure Design	✅ PASS
A05 Misconfiguration	✅ PASS
A06 Vulnerable Components	➖ N/A
A07 Auth Failures	✅ PASS
A08 Integrity Failures	✅ PASS
A09 Logging Monitoring	✅ PASS
A10 Ssrf	✅ PASS

---

🤖 Security review powered by Claude