bitwise-media-group · bitwise-fast-forward-merge · Jun 29, 2026 · Jun 29, 2026 · Jun 29, 2026 · Jun 29, 2026
diff --git a/.github/workflows/auto-merge.yaml b/.github/workflows/auto-merge.yaml
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
diff --git a/.github/workflows/dependabot-merge.yaml b/.github/workflows/dependabot-merge.yaml
@@ -1,7 +1,7 @@
 # Caller for the org's reusable Dependabot auto-merge workflow. Dependabot opens
-# weekly github-actions pin-bump PRs (see .github/dependabot.yaml); this
-# auto-approves the minor/patch ones and fast-forwards them into main once CI is
-# green, via the same signature-preserving "FF Merge" App as the `/merge` flow.
+# weekly github-actions pin-bump PRs (see .github/dependabot.yaml); once a PR's
+# checks are green this auto-approves the minor/patch ones and fast-forwards them
+# into main via the same signature-preserving "FF Merge" App as the `/merge` flow.
 # Major updates are never approved, so they wait for a human.
 #
 # Both the approval and the merge use the App token, so approval works regardless
@@ -10,31 +10,30 @@
 # Integration bypass actor. The approval is what satisfies
 # public-pull-request-required's required review.
 #
-# Both triggers are required: pull_request_target approves on open, and
-# workflow_run fast-forwards once CI finishes green. `workflows:` lists this
-# repo's only PR-gating check, CodeQL (public-code-quality); check_suite is not
-# usable — GitHub does not fire it for a repo's own Actions CI. pull_request_target
-# is safe here: the reusable workflow never checks out or runs PR code.
+# Trigger: workflow_run only — v3 dropped the pull_request_target trigger. This
+# event attaches no check run to the PR, so it leaves no skipped-job clutter (and
+# needs no pull_request_target). `workflows:` lists this repo's only PR-gating
+# check, the CodeQL-based "Security Analysis"; whichever run finishes last triggers
+# the merge attempt. check_suite is not usable — GitHub does not fire it for a
+# repo's own Actions CI.
 #
 # Org prerequisites (see bitwise-media-group/ff-merge): the FF_MERGE_CLIENT_ID
-# variable + FF_MERGE_PRIVATE_KEY secret, and the "FF Merge" App in main's
-# ruleset bypass list — the same App as the `/merge` flow.
+# variable + FF_MERGE_PRIVATE_KEY secret, and the "FF Merge" App in main's ruleset
+# bypass list — the same App as the `/merge` flow.
 
-name: Dependabot auto-merge
+name: Dependabot Auto-Merge
 
 on:
-  pull_request_target:
-    types: [opened, reopened, synchronize]
   workflow_run:
-    workflows: ["CodeQL analysis"]
+    workflows: ["Security Analysis"]
     types: [completed]
 
 # the App token does the privileged work; the caller grants nothing
 permissions: {}
 
 jobs:
   auto-merge:
-    uses: bitwise-media-group/github-workflows/.github/workflows/dependabot-merge.yaml@077a003a620f49bd0062c73fc761dbea05d7fb70 # v1.1.0
+    uses: bitwise-media-group/github-workflows/.github/workflows/dependabot-merge.yaml@4a154ffd7efbb6aff856386ec1def4b6dc364672 # v4.0.0
     with:
       app-client-id: ${{ vars.FF_MERGE_CLIENT_ID }}
     secrets:

diff --git a/.github/workflows/merge-notice.yaml b/.github/workflows/merge-notice.yaml
@@ -8,7 +8,7 @@
 # and never checks out or runs PR code, so the elevated context is safe. No
 # secret needed.
 
-name: Fast-forward merge notice
+name: Merge Notice
 
 on:
   pull_request_target:
@@ -20,6 +20,6 @@ permissions:
 
 jobs:
   notice:
-    uses: bitwise-media-group/github-workflows/.github/workflows/merge-notice.yaml@077a003a620f49bd0062c73fc761dbea05d7fb70 # v1.1.0
+    uses: bitwise-media-group/github-workflows/.github/workflows/merge-notice.yaml@4a154ffd7efbb6aff856386ec1def4b6dc364672 # v4.0.0
     with:
       pr-number: ${{ github.event.pull_request.number }}
diff --git a/.github/workflows/merge-review-ack.yaml b/.github/workflows/merge-review-ack.yaml
@@ -0,0 +1,25 @@
+# Caller for the org's reusable merge-review-ack workflow — the v3 companion that
+# makes an approval complete an armed auto-merge. An approval on a fork PR carries
+# no secrets, so merge.yaml's review path can't merge it directly; and if every
+# check is already green, the approval is the last event, so nothing else would
+# fire to finish the merge. This workflow completes on an approving review purely
+# so its workflow_run(completed) re-enters merge.yaml in the base-repo context,
+# where the "FF Merge" App token is minted and the fast-forward retried. Harmless
+# for same-repo PRs (those merge via the review path directly).
+#
+# Wire-up: this workflow's name, "Merge Review Ack", is listed in merge.yaml's
+# workflow_run.workflows. It does no privileged work, so it grants nothing and
+# needs no secret — the completed run is the only signal.
+
+name: Merge Review Ack
+
+on:
+  pull_request_review:
+    types: [submitted]
+
+# does no privileged work; grants nothing
+permissions: {}
+
+jobs:
+  ack:
+    uses: bitwise-media-group/github-workflows/.github/workflows/merge-review-ack.yaml@4a154ffd7efbb6aff856386ec1def4b6dc364672 # v4.0.0
diff --git a/.github/workflows/merge.yaml b/.github/workflows/merge.yaml
@@ -1,37 +1,55 @@
-# Caller for the org's reusable fast-forward `/merge` workflow. A maintainer
-# comments `/merge` on an approved, green PR and the base branch is
-# fast-forwarded to the PR head, preserving each commit's signature — so the
-# result still satisfies `required_signatures` on main.
+# Caller for the org's reusable fast-forward merge workflow. As of v2 the old
+# auto-merge.yaml is folded in here, so this one file drives both flows: a
+# maintainer comments `/merge` on an approved, green PR to fast-forward main now,
+# or arms set-and-forget auto-merge with `/auto-merge` (or the `auto-merge` label)
+# so the PR merges itself the moment it is approved and every required check is
+# green. Either way the "FF Merge" GitHub App moves the ref, preserving each
+# commit's signature — so the result still satisfies `required_signatures` on main.
 #
-# The privileged ref move is done by the "FF Merge" GitHub App, which sits in
-# main's ruleset bypass list (the Integration bypass actor in
-# public-pull-request-required / public-code-quality). The reusable workflow
-# mints the App token, re-verifies the commenter's write access, that the PR is
-# approved and every required check is green, and that the move is a genuine
-# fast-forward before touching the ref — so the caller's GITHUB_TOKEN needs no
-# permissions of its own.
+# The App sits in main's ruleset bypass list (the Integration bypass actor in
+# public-pull-request-required / public-code-quality). The reusable workflow mints
+# the App token, re-verifies write access, approval, and that every required check
+# is green, and that the move is a genuine fast-forward before touching the ref —
+# so the caller's GITHUB_TOKEN needs no permissions of its own.
 #
-# Trigger: issue_comment runs in the base-repo context, so the App credentials
-# are available even for fork PRs.
+# Every trigger here attaches NO check run to the PR head, so the merge machinery
+# leaves no skipped-job clutter on the PR's checks list:
+#   - issue_comment(created) drives `/merge` and arms `/auto-merge`; it runs in the
+#     base-repo context, so the App credentials are available even for fork PRs.
+#   - workflow_run(completed) re-attempts an armed auto-merge once a gating run
+#     finishes. `workflows:` lists every check that must be green PLUS "Merge Review
+#     Ack" (the companion in merge-review-ack.yaml that turns an approval into a
+#     merge attempt, for fork and same-repo PRs alike). This repo's only PR-gating
+#     check is the CodeQL-based "Security Analysis"; release runs on push to main,
+#     not on PRs, so it is not listed. Whichever run finishes last triggers the
+#     attempt, and the App re-verifies all checks before merging.
+#   - schedule sweeps armed PRs hourly as a backstop for any missed event. As of
+#     v3, adding the `auto-merge` label arms the PR; the merge then happens on the
+#     next workflow_run or this sweep, not immediately.
 #
 # Org prerequisites (see bitwise-media-group/ff-merge): the FF_MERGE_CLIENT_ID
-# variable + FF_MERGE_PRIVATE_KEY secret, and the "FF Merge" App in main's
-# ruleset bypass list.
+# variable + FF_MERGE_PRIVATE_KEY secret, and the "FF Merge" App in main's ruleset
+# bypass list — the same App as the Dependabot auto-merge flow.
 
-name: Fast-forward merge
+name: Merge
 
 on:
   issue_comment:
     types: [created]
+  workflow_run:
+    workflows: ["Security Analysis", "Merge Review Ack"]
+    types: [completed]
+  schedule:
+    # Hourly backstop sweep of armed PRs for any missed event trigger.
+    - cron: "17 * * * *"
 
 # the App token does the privileged work; the job's GITHUB_TOKEN needs nothing
 permissions: {}
 
 jobs:
-  fast-forward:
-    uses: bitwise-media-group/github-workflows/.github/workflows/merge.yaml@077a003a620f49bd0062c73fc761dbea05d7fb70 # v1.1.0
+  merge:
+    uses: bitwise-media-group/github-workflows/.github/workflows/merge.yaml@4a154ffd7efbb6aff856386ec1def4b6dc364672 # v4.0.0
     with:
-      pr-number: ${{ github.event.issue.number }}
       app-client-id: ${{ vars.FF_MERGE_CLIENT_ID }}
     secrets:
       app-private-key: ${{ secrets.FF_MERGE_PRIVATE_KEY }}
diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,49 @@
+# Caller for the org's reusable release workflow. This repo has no .goreleaser.yaml
+# and no zensical.toml, and ships no build artifacts, so a release here is just the
+# release-please cut (the workflow's goreleaser/publish, docs, and vanity-tags jobs
+# skip). It drives releases
+# within the org rulesets for public repos:
+#   - opens a `release-please--*` release PR branch, the prefix that
+#     `public-fork-only` allows to be created directly in the repo;
+#   - tags releases as vX.Y.Z, the only tags `public-version-tags-only` permits,
+#     which `public-immutable-tags` then freezes;
+#   - release-please commits with the GITHUB_TOKEN, which GitHub signs as verified,
+#     so the release commit satisfies `required_signatures` on protected branches.
+#
+# Manifest mode: configuration lives in release-please-config.json and the current
+# version in .release-please-manifest.json at the repo root. vanity-tags is left at
+# its default (false) — nothing pins this repo as a reusable workflow, so there are
+# no floating major tags to move.
+
+name: Release
+
+on:
+  push:
+    branches: [main]
+
+# Ceiling for the reusable workflow's jobs. GitHub resolves a reusable workflow's
+# permissions as the union of every job and ignores `if:`, so the caller must grant
+# every scope any job declares — even the goreleaser/publish and docs jobs that are
+# skipped here (no .goreleaser.yaml, no zensical.toml) — or the run fails at startup.
+# This block is only a ceiling: each reusable job narrows to its own declared scopes,
+# so the only job that runs here, release-please, still gets just
+# contents/issues/pull-requests; the rest exist solely to clear that startup check.
+permissions:
+  # create release commits, tags, and GitHub Releases (release-please)
+  contents: write
+  # release-please creates PR labels via the issues API
+  issues: write
+  # open and update the release PR
+  pull-requests: write
+  # cosign keyless signing (goreleaser) + the docs job's Pages OIDC deploy
+  id-token: write
+  # GitHub build-provenance attestation (goreleaser/publish)
+  attestations: write
+  # artifact storage record for the attestation (goreleaser/publish)
+  artifact-metadata: write
+  # publish the docs site to GitHub Pages (docs job, when a zensical.toml exists)
+  pages: write
+
+jobs:
+  release:
+    uses: bitwise-media-group/github-workflows/.github/workflows/release.yaml@4a154ffd7efbb6aff856386ec1def4b6dc364672 # v4.0.0
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -0,0 +1,39 @@
+# Caller for the org's reusable security (CodeQL) workflow — the v2 rename of the
+# old codeql.yaml. It owns the triggers and grants the analyze permissions; the
+# reusable workflow detects languages at the repo root and scans `actions`
+# (build-free), plus go (when a root go.mod exists) and javascript-typescript
+# (when package.json exists). This repo is shell + JSON config with neither, so
+# `actions` is the only language analyzed — the same coverage the previous inline
+# CodeQL workflow gave, and what public-code-quality's required code scanning
+# expects (it gates on the "CodeQL" tool, which codeql-action reports regardless
+# of this workflow's name).
+#
+# The workflow name "Security Analysis" is load-bearing: merge.yaml and
+# dependabot-merge.yaml list it in their workflow_run triggers as this repo's only
+# PR-gating check. Keep it in sync there if you rename it.
+
+name: Security Analysis
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: ["main", "releases/*"]
+  schedule:
+    # Weekly, so newly-published CodeQL queries surface issues between changes.
+    - cron: "27 4 * * 1"
+
+# ceiling for the reusable workflow's analyze job
+permissions:
+  # upload analysis results to code scanning
+  security-events: write
+  # fetch internal or private CodeQL packs
+  packages: read
+  # required to analyze the `actions` language
+  actions: read
+  # check out the repository
+  contents: read
+
+jobs:
+  analyze:
+    uses: bitwise-media-group/github-workflows/.github/workflows/security.yaml@4a154ffd7efbb6aff856386ec1def4b6dc364672 # v4.0.0