fix(ci): clarify protected-branch auto-merge failure and add regression tests

Agent-Logs-Url: https://github.com/wallstop/fortress-rollback/sessions/3206be6d-571a-4ff3-ae8f-d4d55f409f31

Co-authored-by: wallstop <[email protected]>

Author: Copilot

.llm/context.md

@@ -159,7 +159,7 @@ Pre-commit validates registration only, NOT that proofs pass. Run affected proof
 
 Also: `ci-rust.yml` (Miri), `ci-security.yml` (cargo-geiger, cargo-deny).
 
-Dependabot auto-merge policy: this repository is squash-only and the auto-merge job MUST wait for every non-self CI gate on the PR head SHA to reach an explicitly accepted state (`success`, `skipped`, `neutral`) before enabling merge. Anything else -- including `failure`, `timed_out`, `cancelled`, `action_required`, `startup_failure`, `stale`, missing/`null` conclusions, or future GitHub-added states -- refuses the merge (allow-list semantics). Use `scripts/ci/enable-dependabot-automerge.sh` -- never inline `gh pr merge` in workflows, never re-introduce a "one-shot" / bypass path, never wrap the script in a sub-job-level `timeout`. Regression-tested in `scripts/tests/test_enable_dependabot_automerge.py`.
+Dependabot auto-merge policy: this repository is squash-only and the auto-merge job MUST wait for every non-self CI gate on the PR head SHA to reach an explicitly accepted state (`success`, `skipped`, `neutral`) before enabling merge. Anything else -- including `failure`, `timed_out`, `cancelled`, `action_required`, `startup_failure`, `stale`, missing/`null` conclusions, or future GitHub-added states -- refuses the merge (allow-list semantics). GitHub also requires protected-branch rules (for example, requiring pull requests before merge) on the PR base branch before `enablePullRequestAutoMerge` can succeed. Use `scripts/ci/enable-dependabot-automerge.sh` -- never inline `gh pr merge` in workflows, never re-introduce a "one-shot" / bypass path, never wrap the script in a sub-job-level `timeout`. Regression-tested in `scripts/tests/test_enable_dependabot_automerge.py`.
 
 **CI fails on:** unformatted code, clippy warnings, broken doc links, markdown lint errors, workflow syntax errors, unregistered Kani proofs.
 

scripts/ci/enable-dependabot-automerge.sh

@@ -102,6 +102,9 @@ attempt_automerge() {
         return 0
     fi
     echo "Auto-merge attempt failed for squash strategy: $output" >&2
+    if [[ "$output" == *"enablePullRequestAutoMerge"* ]] && [[ "$output" == *"required protected branch rules"* ]]; then
+        echo "GitHub auto-merge requires protected branch rules on the PR base branch (for example, require pull requests before merging)." >&2
+    fi
     return 1
 }
 

scripts/tests/test_enable_dependabot_automerge.py

@@ -124,6 +124,11 @@ def _write_stub_gh(path: Path) -> None:
 if [[ "$cmd" == "pr" && "$subcmd" == "merge" ]]; then
     printf '%s\\n' "pr merge $*" >> "${GH_LOG_PATH:?GH_LOG_PATH is required}"
     success_flag="${GH_MERGE_SUCCESS_FLAG:-__none__}"
+    error_message="${GH_MERGE_ERROR_MESSAGE:-}"
+    if [[ -n "$error_message" ]]; then
+        printf '%s\\n' "$error_message" >&2
+        exit 1
+    fi
     if [[ "$success_flag" == "__none__" ]]; then
         if [[ "$*" == *"--squash"* || "$*" == *"--rebase"* || "$*" == *"--merge"* ]]; then
             exit 1
@@ -291,6 +296,54 @@ def test_fails_on_merge_policy_drift(tmp_path: Path) -> None:
     assert not log_path.exists()
 
 
+def test_reports_branch_protection_requirement_when_automerge_api_rejects(tmp_path: Path) -> None:
+    result = _run_script(
+        tmp_path,
+        {
+            "GH_MERGE_ERROR_MESSAGE": (
+                "GraphQL: Pull request Branch does not have required protected branch rules "
+                "(enablePullRequestAutoMerge)"
+            ),
+            "GH_ALLOW_SQUASH": "true",
+            "GH_ALLOW_REBASE": "false",
+            "GH_ALLOW_MERGE": "false",
+        },
+    )
+    assert result.returncode == 1
+    assert "required protected branch rules" in result.stderr
+    assert "GitHub auto-merge requires protected branch rules" in result.stderr
+    log_lines = (tmp_path / "gh.log").read_text(encoding="utf-8").splitlines()
+    assert len(log_lines) == 3
+    assert "--required --json name --jq length" in log_lines[0]
+    assert "--required --json name,state,link" in log_lines[1]
+    assert "--squash" in log_lines[2]
+
+
+def test_does_not_report_branch_protection_requirement_for_other_automerge_errors(
+    tmp_path: Path,
+) -> None:
+    result = _run_script(
+        tmp_path,
+        {
+            "GH_MERGE_ERROR_MESSAGE": (
+                "GraphQL: Auto-merge is disabled for this pull request "
+                "(enablePullRequestAutoMerge)"
+            ),
+            "GH_ALLOW_SQUASH": "true",
+            "GH_ALLOW_REBASE": "false",
+            "GH_ALLOW_MERGE": "false",
+        },
+    )
+    assert result.returncode == 1
+    assert "enablePullRequestAutoMerge" in result.stderr
+    assert "GitHub auto-merge requires protected branch rules" not in result.stderr
+    log_lines = (tmp_path / "gh.log").read_text(encoding="utf-8").splitlines()
+    assert len(log_lines) == 3
+    assert "--required --json name --jq length" in log_lines[0]
+    assert "--required --json name,state,link" in log_lines[1]
+    assert "--squash" in log_lines[2]
+
+
 def test_falls_back_to_all_checks_when_required_checks_count_is_zero(
     tmp_path: Path,
 ) -> None: