From 8f369000ad65a71f911ad1834d67da60e1996a95 Mon Sep 17 00:00:00 2001
From: Snider <snider@host.uk.com>
Date: Wed, 4 Feb 2026 17:51:00 +0000
Subject: [PATCH] ci(workflows): replace inline pr-gate and auto-merge with org
 reusable callers (#303)

Moves the logic to host-uk/.github org-wide reusable workflows.
Fixes org-gate failure: uses author_association from webhook payload
instead of checkMembershipForUser (GITHUB_TOKEN lacks org scope).

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/auto-merge.yml | 36 +++---------------------------
 .github/workflows/pr-gate.yml    | 38 +++-----------------------------
 2 files changed, 6 insertions(+), 68 deletions(-)

diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
index ec3cf86b..38594eb4 100644
--- a/.github/workflows/auto-merge.yml
+++ b/.github/workflows/auto-merge.yml
@@ -4,37 +4,7 @@ on:
   pull_request:
     types: [opened, reopened, ready_for_review]
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
-  auto-merge:
-    if: "!github.event.pull_request.draft"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check org membership and enable auto-merge
-        uses: actions/github-script@v7
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-        with:
-          script: |
-            const { owner, repo } = context.repo;
-            const author = context.payload.pull_request.user.login;
-
-            try {
-              await github.rest.orgs.checkMembershipForUser({
-                org: owner,
-                username: author,
-              });
-            } catch {
-              core.info(`${author} is not an org member — skipping auto-merge`);
-              return;
-            }
-
-            await exec.exec('gh', [
-              'pr', 'merge', process.env.PR_NUMBER,
-              '--auto', '--squash',
-            ]);
-            core.info(`Auto-merge enabled for #${process.env.PR_NUMBER}`);
+  merge:
+    uses: host-uk/.github/.github/workflows/auto-merge.yml@dev
+    secrets: inherit
diff --git a/.github/workflows/pr-gate.yml b/.github/workflows/pr-gate.yml
index 299f186b..7fd5d6b4 100644
--- a/.github/workflows/pr-gate.yml
+++ b/.github/workflows/pr-gate.yml
@@ -4,39 +4,7 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened, labeled]
 
-permissions:
-  contents: read
-
 jobs:
-  org-gate:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check org membership or approval label
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const { owner, repo } = context.repo;
-            const author = context.payload.pull_request.user.login;
-
-            // Check if author is an org member
-            try {
-              await github.rest.orgs.checkMembershipForUser({
-                org: owner,
-                username: author,
-              });
-              core.info(`${author} is an org member — gate passed`);
-              return;
-            } catch {
-              core.info(`${author} is not an org member — checking for label`);
-            }
-
-            // Check for external-approved label
-            const labels = context.payload.pull_request.labels.map(l => l.name);
-            if (labels.includes('external-approved')) {
-              core.info('external-approved label present — gate passed');
-              return;
-            }
-
-            core.setFailed(
-              `External PR from ${author} requires an org member to add the "external-approved" label before merge.`
-            );
+  gate:
+    uses: host-uk/.github/.github/workflows/pr-gate.yml@dev
+    secrets: inherit