fix(transcribe): default-deny path guard for local files (P0-1) #171
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Auto merge | |
| # Trigger only after a review is submitted. We then check whether both | |
| # required bot reviewers (codex + copilot) have reviewed; if so, enable | |
| # auto-merge so GitHub finishes the merge once all CI / thread-resolution | |
| # requirements are met. | |
| # | |
| # Why not `on: pull_request: [opened]`? That fires before any review can | |
| # arrive, and GitHub's auto-merge cleared `required_conversation_resolution` | |
| # while bot review threads were still in flight (race window observed on | |
| # PR 412 / 417 / AgentLint 204). | |
| on: | |
| pull_request_review: | |
| types: [submitted] | |
| permissions: {} | |
| jobs: | |
| enable: | |
| if: github.event.pull_request.draft == false | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # enablePullRequestAutoMerge (called by `gh pr merge --auto`) needs | |
| # contents:write — pull-requests:write alone returns "Resource not | |
| # accessible by integration." | |
| contents: write | |
| pull-requests: write | |
| steps: | |
| - name: Enable auto-merge once codex + copilot have both reviewed | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| REPO: ${{ github.repository }} | |
| PR: ${{ github.event.pull_request.number }} | |
| run: | | |
| set -e | |
| existing=$(gh pr view "$PR" --repo "$REPO" --json autoMergeRequest --jq '.autoMergeRequest') | |
| if [ "$existing" != "null" ] && [ -n "$existing" ]; then | |
| echo "Auto-merge already enabled." | |
| exit 0 | |
| fi | |
| required="chatgpt-codex-connector copilot-pull-request-reviewer" | |
| missing=() | |
| for r in $required; do | |
| n=$(gh api "/repos/$REPO/pulls/$PR/reviews" \ | |
| --jq "[.[] | select(.user.login == \"$r\")] | length") | |
| [ "$n" -lt 1 ] && missing+=("$r") | |
| done | |
| if [ ${#missing[@]} -gt 0 ]; then | |
| echo "Waiting for review from: ${missing[*]}" | |
| exit 0 | |
| fi | |
| echo "Both required reviewers have reviewed. Enabling auto-merge." | |
| gh pr merge --auto --squash --repo "$REPO" "$PR" |