ci: adopt reusable auto-arm-merge workflow

[chitcommit]

Summary

Adopts the reusable auto-arm-merge workflow from chittyfoundation/.github (see chittyfoundation/.github#7). On every non-draft PR open / ready_for_review / reopen, this arms 'gh pr merge --auto --squash --delete-branch'.

Squash ruleset already locked on this repo; required checks still gate the actual merge.

Skip conditions

Drafts, dependabot/renovate, titles starting with WIP/[WIP]/Draft:/DO NOT MERGE, forks.

Test plan

• After merge, open a test PR and confirm auto-merge is armed
• Open a draft PR and confirm it's skipped

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added automated pull request merge configuration to streamline the development workflow.

[github-actions]

@coderabbitai review

Please evaluate:

• Security implications
• Credential exposure risk
• Dependency supply chain concerns
• Breaking API changes

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow file is added that automatically triggers on pull request lifecycle events (opened, ready for review, reopened) and delegates execution to an external reusable workflow maintained in the chittyfoundation organization.

Changes

Auto-Arm Merge Workflow

Layer / File(s)	Summary
Workflow trigger and delegation .github/workflows/auto-arm-merge.yml	New workflow listens for pull request opened, ready_for_review, and reopened events and delegates execution to the external reusable workflow chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main via the arm job.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A workflow springs to life, so neat,
Auto-merging pulls with hopping feet!
External delegates, reused with care,
Pull requests bloom—the magic's there! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main change: adopting a reusable auto-arm-merge workflow into the CI configuration, which is the core purpose of this changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/auto-arm-merge

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review — PR #128: ci: adopt reusable auto-arm-merge workflow

Overview

This PR adds a 7-line caller workflow that delegates all logic to the reusable chittyfoundation/.github/.github/workflows/auto-arm-merge.yml. The intent is clean — centralise auto-arm logic in the org's shared .github repo and consume it here. The approach is correct in principle, but there are a few issues worth addressing before merge.

---

Issues

1. Pinned to @main, not a commit SHA — supply-chain risk

uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main

Any future commit to chittyfoundation/.github main is immediately trusted and executed in this repo without a review cycle. If that upstream workflow is ever modified (accidentally or maliciously), every PR in this repo could silently get auto-merged. GitHub's hardened workflow guidance and CISA/SLSA both recommend pinning reusable workflows to a full commit SHA.

Suggestion: pin to the current HEAD SHA of the reusable workflow and update it deliberately, e.g.:

uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@<full-sha>

2. No permissions: block on the caller

The workflow file has no permissions: key. To arm gh pr merge --auto, the GITHUB_TOKEN needs at minimum pull-requests: write and contents: write. Without an explicit declaration:

• If the repo's default token permissions are read-all (the recommended hardened default), the reusable workflow will silently fail to arm merge with a 403.
• If the repo default is write-all, permissions are broader than necessary, violating least-privilege.

Suggestion: add an explicit permissions block on the caller, or confirm the reusable workflow declares permissions itself (which requires inherit semantics in the caller):

jobs:
  arm:
    permissions:
      pull-requests: write
      contents: write
    uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main

Or, if the reusable workflow handles permissions internally, document that here so it's clear the omission is intentional.

3. synchronize trigger is missing

The workflow fires on opened, ready_for_review, and reopened — but not synchronize. A PR can be opened, armed, then have its title changed to WIP: ... via a force-push or amendment. Without re-evaluating on synchronize, a PR that later becomes WIP-tagged stays armed. The skip conditions mentioned in the PR description (WIP/Draft titles) are evaluated once at arm time, not continuously.

This may be intentional if the reusable workflow handles un-arming separately, but it's worth confirming. If not, add synchronize to the trigger types.

4. Governance secret policy coverage gap

The governance gate in governance-gates.yml scans *.github/workflows/*.yml in this repo for secret references. The reusable workflow at chittyfoundation/.github is executed but not scanned — any secrets it consumes are invisible to the allowlist check in .github/allowed-workflow-secrets.txt. This is an inherent limitation of the centralised model. Worth noting explicitly in a comment or in allowed-workflow-secrets.txt so future maintainers don't assume the allowlist is complete.

---

Minor Notes

• No concurrency: block — opened and reopened could fire in quick succession. The actual risk is low (arming merge twice is idempotent), but a concurrency group would be tidy.
• Test plan is pre-merge — the two checkboxes are post-merge validations, not pre-merge CI. That's fine, but make sure someone actually runs through them after merge before the first real PR goes through.

---

Summary

Correctness	Likely correct once permissions are confirmed
Security	@main pinning is the primary concern
Conventions	Follows project's reusable-workflow pattern
Test coverage	N/A for a CI workflow; manual post-merge check planned

Verdict: Two items should be resolved before merge — the @main pin (#1) and the permissions story (#2). Item #3 is worth a quick check against the upstream workflow. Everything else is low-severity.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 46c2391a6e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Grant write permissions to the merge job

In repos/orgs configured with the restricted default GITHUB_TOKEN, this reusable workflow will start but won't be able to arm auto-merge because the caller job doesn't pass any write scopes. GitHub's reusable-workflow semantics say that when jobs.<job_id>.permissions is omitted the called workflow only receives the caller's default token permissions, and the called workflow can only downgrade—not elevate—them; since the adopted workflow runs gh pr merge --auto --squash --delete-branch, it needs the caller job to explicitly grant the PR/content write scopes (for example pull-requests: write and contents: write) or the first non-draft PR will fail to arm.

Useful? React with 👍 / 👎.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/auto-arm-merge.yml:
- Line 7: Update the reusable workflow reference string currently set to
"chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main": correct
the upstream path to the actual reusable workflow file in the chittyfoundation
repo (remove the duplicated ".github" segment and use the exact filename that
exists) and then replace the branch reference "`@main`" with the specific commit
SHA that contains that valid workflow to pin it; ensure the updated reference
matches the existing file name in the upstream repo and uses the full
40-character commit SHA.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 120b9d65-857f-44e6-aeeb-cccc0ffb58c1

📥 Commits

Reviewing files that changed from the base of the PR and between e296809 and 46c2391.

📒 Files selected for processing (1)

• .github/workflows/auto-arm-merge.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Fetch the latest commit SHA from the upstream workflow repository

# Get the latest commit SHA from the main branch of the external workflow
gh api repos/chittyfoundation/.github/commits/main --jq '.sha'

# Verify the workflow file exists at that path
gh api repos/chittyfoundation/.github/contents/.github/workflows/auto-arm-merge.yml --jq '.sha'

Repository: chittyapps/chittyfinance

Length of output: 279

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Local workflow: .github/workflows/auto-arm-merge.yml ==="
ls -la .github/workflows || true
sed -n '1,200p' .github/workflows/auto-arm-merge.yml || true

echo
echo "=== Upstream: chittyfoundation/.github ==="
# Get commit SHA of main (should succeed even if file path is wrong)
echo "--- main commit sha ---"
gh api repos/chittyfoundation/.github/commits/main --jq '.sha'

# List contents of the likely workflows directory
echo
echo "--- list .github/workflows/ in upstream (ref=main) ---"
gh api repos/chittyfoundation/.github/contents/.github/workflows?ref=main --jq '.[] | {name, path, sha}' | head -n 200

# Also try alternative common location without the leading .github/
echo
echo "--- list workflows/ in upstream (ref=main) ---"
gh api repos/chittyfoundation/.github/contents/workflows?ref=main --jq '.[] | {name, path, sha}' | head -n 200

# Check a few likely filenames near the one referenced
echo
echo "--- search for files containing 'auto' in .github/workflows (ref=main) ---"
gh api repos/chittyfoundation/.github/contents/.github/workflows?ref=main --jq '.[] | select(.name|test("auto";"i")) | {name, path}' | head -n 200

Repository: chittyapps/chittyfinance

Length of output: 2426

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .github/workflows/auto-arm-merge.yml (full) ==="
cat -n .github/workflows/auto-arm-merge.yml

Repository: chittyapps/chittyfinance

Length of output: 348

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Find whether the referenced workflow file exists anywhere in the upstream repo tree
gh api repos/chittyfoundation/.github/git/trees/main?recursive=1 --jq '
  [.tree[]
    | select(.path|test("auto-arm-merge\\.yml$";"i"))
    | {path, type, sha}
  ] | .[0:20]
'

Repository: chittyapps/chittyfinance

Length of output: 71

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

UP="chittyfoundation/.github"

echo "=== Git tree scan for paths containing arm-merge / auto-arm-merge ==="
gh api repos/$UP/git/trees/main?recursive=1 --jq '
  [.tree[]
    | select(.path|test("(auto-)?arm-merge";"i"))
    | {path, sha}
  ][0:50]
'

echo
echo "=== Git tree scan for any paths containing 'arm' (broader) ==="
gh api repos/$UP/git/trees/main?recursive=1 --jq '
  [.tree[]
    | select(.path|test("arm";"i"))
    | {path, sha}
  ][0:50]
'

echo
echo "=== GitHub code search for auto-arm-merge (if supported) ==="
gh api "search/code?q=repo:chittyfoundation/.github%20auto-arm-merge&per_page=20" --jq '
  [.items[] | {path, html_url}]
'

Repository: chittyapps/chittyfinance

Length of output: 273

---

Pin the reusable workflow reference (and fix the upstream path)

.github/workflows/auto-arm-merge.yml invokes chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main, which tracks the upstream main branch and can change without this repo’s review. Also, that referenced auto-arm-merge.yml path doesn’t exist in chittyfoundation/.github on main (404 from the contents API; no matching auto-arm-merge/arm paths in the repo tree), so the reference appears stale/broken—fix the path first, then pin to the upstream commit SHA that contains the correct reusable workflow.

🔒 Proposed fix to pin the workflow reference

-    uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main
+    uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@<commit-sha>

🧰 Tools

🪛 zizmor (1.25.2)

[error] 7-7: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-arm-merge.yml at line 7, Update the reusable workflow
reference string currently set to
"chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main": correct
the upstream path to the actual reusable workflow file in the chittyfoundation
repo (remove the duplicated ".github" segment and use the exact filename that
exists) and then replace the branch reference "`@main`" with the specific commit
SHA that contains that valid workflow to pin it; ensure the updated reference
matches the existing file name in the upstream repo and uses the full
40-character commit SHA.

[github-actions]

@coderabbitai review

Please evaluate:

• Security implications
• Credential exposure risk
• Dependency supply chain concerns
• Breaking API changes

[claude]

Code Review — ci: adopt reusable auto-arm-merge workflow

Overview

This PR adds .github/workflows/auto-arm-merge.yml, a thin calling workflow that delegates to a reusable workflow in chittyfoundation/.github to arm gh pr merge --auto --squash --delete-branch on every non-draft PR open/reopen/ready_for_review event.

The file is six lines:

name: Auto-Arm Merge
on:
  pull_request:
    types: [opened, ready_for_review, reopened]
jobs:
  arm:
    uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main

---

Security

Pinned to @main — supply chain risk (high)

Reusable workflow references should be pinned to an immutable commit SHA, not a mutable branch ref. @main means any push to chittyfoundation/.github immediately changes the code that runs here — including auto-merging PRs in this repo. If that upstream branch is ever compromised or accidentally broken, it silently affects every PR in chittyfinance.

# before
uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main

# after — pin to a specific SHA and add a comment to track the version
uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@<full-sha>  # vX.Y.Z

See GitHub's hardening guidance — the same principle applies to reusable workflows in other orgs.

---

Missing permissions block (medium)

Every other workflow in this repo that needs write access (claude-code-review.yml, governance-gates.yml, etc.) explicitly declares a permissions block with least-privilege grants. This caller has none, so it inherits whatever the repo's default token permissions are — currently not visible here, but typically contents: write or broader.

For auto-merge to work the job needs at minimum pull-requests: write. Declaring that explicitly both documents intent and limits blast radius if the reusable workflow ever does something unexpected:

jobs:
  arm:
    permissions:
      pull-requests: write
    uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@<sha>

Note: permissions on the calling job is passed through to called reusable workflows, so this is the right level to set it.

---

Operational

No concurrency group

Without a concurrency group, rapid events on the same PR (e.g., reopen immediately after open) can queue duplicate gh pr merge --auto calls. Adding a concurrency group scoped to the PR number makes this idempotent at the workflow level:

concurrency:
  group: auto-arm-merge-${{ github.event.pull_request.number }}
  cancel-in-progress: true

---

Skip-condition logic lives entirely in the reusable workflow

The PR description lists several skip conditions (drafts, bots, WIP titles, forks). None of those are visible in this file — they're all delegated upstream. That's fine architecturally, but it means future contributors reading this file won't know the behavior without following the reference. Consider adding a comment or linking to the upstream file for discoverability.

---

Observation: empty diff

gh pr diff 128 returns nothing and changedFiles is 0. The current main HEAD (0db4594) is a merge commit whose second parent is this PR branch's tip (76a2bd95). The auto-arm-merge.yml file already exists on main. It looks like the branch content was already merged into main outside the normal PR close flow — the PR may be a no-op at this point. Worth confirming whether this should be closed or whether it needs a re-target.

---

Summary

Supply chain pin	Fix before merge — @main is not safe for a workflow that arms auto-merge
Permissions block	Add pull-requests: write for least-privilege
Concurrency group	Nice-to-have for robustness
Empty diff	Investigate whether this PR is still needed

The core idea (reusable auto-arm-merge) is sound and fits the repo's workflow patterns. The blocking issue is the @main pin on an org-level reusable workflow that can directly influence merge behavior.

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Read the new workflow file
cat .github/workflows/auto-arm-merge.yml

echo "---"
# Check all workflow files for context
ls .github/workflows/

echo "---"
# Fetch the reusable workflow from chittyfoundation/.github via GitHub API
gh api repos/chittyfoundation/.github/contents/.github/workflows/auto-arm-merge.yml \
  --jq '.content' | base64 -d 2>/dev/null || echo "Could not fetch reusable workflow content"

echo "---"
# Check PR details for permissions, secrets, etc.
gh pr view 128 --repo chittyapps/chittyfinance --json title,author,body,files

echo "---"
# Check repo settings around Actions permissions
gh api repos/chittyapps/chittyfinance/actions/permissions 2>/dev/null || echo "no access"

Length of output: 2543

---

🏁 Script executed:

#!/bin/bash
# Check if chittyfoundation/.github repo is accessible (public?)
gh api repos/chittyfoundation/.github --jq '{private: .private, visibility: .visibility, default_branch: .default_branch}' 2>/dev/null || echo "Repo not accessible (private or does not exist)"

echo "---"
# List workflows in chittyfoundation/.github if accessible
gh api repos/chittyfoundation/.github/contents/.github/workflows 2>/dev/null | jq -r '.[].name' || echo "Cannot list workflows"

echo "---"
# Check if chittyfoundation org exists
gh api orgs/chittyfoundation --jq '{login: .login, public_repos: .public_repos}' 2>/dev/null || echo "Org not accessible"

echo "---"
# Check the referenced PR chittyfoundation/.github#7
gh api repos/chittyfoundation/.github/pulls/7 --jq '{title: .title, state: .state, merged: .merged}' 2>/dev/null || echo "Cannot access referenced PR"

echo "---"
# Check if there are any secrets declared in the workflow that could be at risk
grep -ri "secret" .github/workflows/ || echo "No secrets references found"

echo "---"
# Check for permissions blocks in other workflows for comparison
grep -A5 "permissions:" .github/workflows/*.yml 2>/dev/null | head -60

Length of output: 7212

---

---

@github-actions[bot] — here is the security evaluation for PR #128.

---

Security Review: ci: adopt reusable auto-arm-merge

🔴 Critical — Referenced workflow does not exist yet

The reusable workflow chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main is not present in the upstream repository. The companion PR that introduces it (chittyfoundation/.github#7) is still open and unmerged.

Immediate consequences:

• Every pull_request event (opened/ready_for_review/reopened) will hard-fail until feat(workflows): reusable auto-arm-merge workflow chittyfoundation/.github#7 lands.
• More critically: this establishes a trust dependency on a future unreviewed merge. Whatever code ships in that PR — or is pushed to main afterward — becomes the code that runs against this repo's PRs and GITHUB_TOKEN without any re-review here.

Recommendation: Do not merge this PR until chittyfoundation/.github#7 is merged, the workflow is reviewed, and this caller pins to a specific immutable commit SHA.

---

🟡 High — Mutable branch pin (@main)

The uses: reference is pinned to the branch name, not a commit SHA:

uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main

Because chittyfoundation/.github is a public repository, any actor with push access to its main branch can silently change what runs here on the next PR event — no PR or change to this repo is required.

Recommendation: Pin to a full commit SHA, e.g.:

uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@<sha>

Update the SHA when intentionally adopting upstream changes (treat it like a dependency bump).

---

🟡 High — No permissions: block declared

Every other workflow in this repository explicitly declares least-privilege permissions (e.g. contents: read, pull-requests: write). This workflow declares none:

jobs:
  arm:
    uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main
    # ← no permissions block

For a pull_request event on same-repo PRs, GitHub may grant a broader default token. The reusable workflow needs pull-requests: write to arm auto-merge, but the calling workflow should declare that explicitly to stay consistent with the repo's security posture and to avoid accidentally granting more than needed.

Recommendation: Add an explicit permissions block:

jobs:
  arm:
    permissions:
      pull-requests: write
      contents: read
    uses: chittyfoundation/.github/.github/workflows/auto-arm-merge.yml@main

Note: permissions on a uses: job may need to be on the workflow level depending on how the reusable workflow is structured — verify after chittyfoundation/.github#7 is reviewable.

---

✅ Credential Exposure — Low Risk (with caveats)

• No secrets: inherit — named repository secrets are not forwarded to the reusable workflow. This is the correct default.
• The GITHUB_TOKEN is implicitly scoped to the pull_request event, which uses a read-only token for fork PRs (external contributors cannot abuse this to write).
• The trigger is pull_request, not pull_request_target — fork PRs cannot access write-scoped tokens or secrets. This is the safe choice for this use case.

The caveat is that without the permissions block noted above, the exact token scope for same-repo PRs is ambiguous until repo-level default permissions are confirmed.

---

✅ Breaking API Changes — No direct risk

• gh pr merge --auto --squash --delete-branch is a stable, well-documented CLI pattern.
• The PR notes the squash ruleset is already locked and required checks still gate actual merges — auto-merge arming is purely additive.
• Skip conditions (drafts, dependabot/renovate, WIP prefix, forks) reduce noise risk.

---

Summary

Area	Finding	Severity
Supply chain	Upstream PR#7 not merged; @main mutable pin	🔴 Critical
Supply chain	Branch ref instead of commit SHA	🟡 High
Token scope	Missing permissions: block	🟡 High
Credential exposure	No secrets: inherit, safe trigger event	✅ Low
Breaking changes	None identified	✅ None

Suggested order of operations:

1. Review and merge feat(workflows): reusable auto-arm-merge workflow chittyfoundation/.github#7 with a full audit of the reusable workflow body.
2. Pin this caller to the resulting merge commit SHA.
3. Add an explicit permissions: block.
4. Then merge this PR.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.