core/cli
8
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions 1
cli/.github/workflows/auto-merge.yml
Snider 799507881f Secure SSH commands and fix auto-merge CI failure 
Addresses OWASP security audit by enforcing strict host key verification
and fixes a CI failure in the auto-merge workflow.

Key changes:
- Replaced StrictHostKeyChecking=accept-new with yes in pkg/container and pkg/devops.
- Removed insecure host key verification from pkg/ansible.
- Implemented synchronous host key discovery using ssh-keyscan during VM boot.
- Handled missing known_hosts file in pkg/ansible.
- Refactored hardcoded SSH port to DefaultSSHPort constant.
- Added pkg/ansible/ssh_test.go to verify SSH client initialization.
- Fixed formatting in pkg/io/local/client.go.
- Fixed auto-merge.yml by inlining the script and providing repository context
  to 'gh' command, resolving the "not a git repository" error in CI.
2026-02-05 03:26:50 +00:00

48 lines
1.5 KiB
YAML
Raw Blame History

name: Auto Merge
on:
pull_request:
types: [opened, reopened, ready_for_review]
permissions:
pull-requests: write
contents: write
jobs:
merge:
runs-on: ubuntu-latest
if: github.event.pull_request.draft == false
steps:
- name: Enable auto-merge
uses: actions/github-script@v7
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const author = context.payload.pull_request.user.login;
const association = context.payload.pull_request.author_association;
// Trusted bot accounts (act as org members)
const trustedBots = ['google-labs-jules[bot]'];
const isTrustedBot = trustedBots.includes(author);
// Check author association from webhook payload
const trusted = ['MEMBER', 'OWNER', 'COLLABORATOR'];
if (!isTrustedBot && !trusted.includes(association)) {
core.info(`${author} is ${association} — skipping auto-merge`);
return;
}
try {
await exec.exec('gh', [
'pr', 'merge', process.env.PR_NUMBER,
'--auto',
'--merge',
'-R', `${context.repo.owner}/${context.repo.repo}`
]);
core.info(`Auto-merge enabled for #${process.env.PR_NUMBER}`);
} catch (error) {
core.error(`Failed to enable auto-merge: ${error.message}`);
throw error;
}
Reference in a new issue View git blame Copy permalink