From 576e9e6421e04276bfc3e5c7bca3bd27b981e969 Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com> Date: Tue, 7 Apr 2026 05:52:29 -0400 Subject: [PATCH 1/3] feat: add AI merge gate and Copilot setup steps Single status check for branch protection that aggregates all Copilot gh-aw agent check results. Add copilot-setup-steps.yml to enable Copilot cloud agent on this repo. (claude) --- .github/workflows/ai-merge-gate.yml | 8 ++++++++ .github/workflows/copilot-setup-steps.yml | 11 +++++++++++ 2 files changed, 19 insertions(+) create mode 100644 .github/workflows/ai-merge-gate.yml create mode 100644 .github/workflows/copilot-setup-steps.yml diff --git a/.github/workflows/ai-merge-gate.yml b/.github/workflows/ai-merge-gate.yml new file mode 100644 index 0000000..d98f95b --- /dev/null +++ b/.github/workflows/ai-merge-gate.yml @@ -0,0 +1,8 @@ +name: AI Merge Gate +on: + pull_request: + types: [opened, synchronize, reopened] +jobs: + gate: + uses: JacobPEvans/ai-workflows/.github/workflows/_ai-merge-gate.yml@main + secrets: inherit diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml new file mode 100644 index 0000000..57afb31 --- /dev/null +++ b/.github/workflows/copilot-setup-steps.yml @@ -0,0 +1,11 @@ +name: Copilot Setup Steps +on: + workflow_dispatch: +jobs: + copilot-setup-steps: + name: Copilot Setup Steps + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v6 From 4194630bd84b8d95692e8e96dc9fd1ab7512a3de Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com> Date: Tue, 7 Apr 2026 06:07:05 -0400 Subject: [PATCH 2/3] fix: add permissions and concurrency to AI merge gate caller Addresses CodeQL finding and review feedback. Adds explicit permissions (checks:read, contents:read, statuses:read) and concurrency group to prevent queued runs. (claude) --- .github/workflows/ai-merge-gate.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/ai-merge-gate.yml b/.github/workflows/ai-merge-gate.yml index d98f95b..f538ace 100644 --- a/.github/workflows/ai-merge-gate.yml +++ b/.github/workflows/ai-merge-gate.yml @@ -2,6 +2,16 @@ name: AI Merge Gate on: pull_request: types: [opened, synchronize, reopened] + +concurrency: + group: ai-merge-gate-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + checks: read + contents: read + statuses: read + jobs: gate: uses: JacobPEvans/ai-workflows/.github/workflows/_ai-merge-gate.yml@main From 51c4ae52f332cd3c1912b29d3d490b1f9f8dcc46 Mon Sep 17 00:00:00 2001 From: JacobPEvans <20714140+JacobPEvans@users.noreply.github.com> Date: Tue, 7 Apr 2026 06:27:25 -0400 Subject: [PATCH 3/3] fix: slim AI merge gate caller to absolute minimum MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove concurrency and verbose permissions — handled by reusable workflow. Use read-all shorthand. Omit default trigger types. (claude) --- .github/workflows/ai-merge-gate.yml | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ai-merge-gate.yml b/.github/workflows/ai-merge-gate.yml index f538ace..b7bca0e 100644 --- a/.github/workflows/ai-merge-gate.yml +++ b/.github/workflows/ai-merge-gate.yml @@ -1,17 +1,6 @@ name: AI Merge Gate -on: - pull_request: - types: [opened, synchronize, reopened] - -concurrency: - group: ai-merge-gate-${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -permissions: - checks: read - contents: read - statuses: read - +on: pull_request +permissions: read-all jobs: gate: uses: JacobPEvans/ai-workflows/.github/workflows/_ai-merge-gate.yml@main