feat: integrate auto-merge functionality and improve documentation#30
Merged
feat: integrate auto-merge functionality and improve documentation#30
Conversation
Laffs2k5
force-pushed
the
auto-merge-tidy-2
branch
from
367738e to
3057d96
Compare
Non-functional cleanup that improves readability and correctness: - Fixed typo 'passe' → 'passed' in secrets comment - Fixed typo 'triggerd' → 'triggered' in add-pr-comment description - Fixed typo 'woraround' → 'workaround' in setup-terraform comment - Fixed incorrect description reference 'goals-yml' → 'terraform-init-additional-dirs-yml' - Fixed incorrect description reference 'goals-yml' → 'extra-envs-yml' - Fixed incorrect description reference 'goals-yml' → 'extra-envs-from-secrets-yml'
Improves consistency and readability in documentation: - Reordered optional environment fields alphabetically for better discoverability - Documented previously undocumented per-environment settings: - terraform-version - tflint-version - format-check-in-root-dir - add-pr-comment - Updated runs-on description to reference the workflow input instead of full URL
Organize input fields alphabetically and add documentation comments: - Added comment documenting deliberately excluded fields - Reordered YML_INPUTS alphabetically - Reordered MERGE_INPUT_YML_FIELDS alphabetically - Updated comment to clarify 'yml fields that needs merge' - Reordered REQ_FIELDS alphabetically - Reordered NOT_EMPTY_FIELDS alphabetically Alphabetical ordering improves maintainability and makes it easier to spot missing or duplicate fields. No functional changes.
Centralize runner configuration with global default: - Added new workflow input 'runs-on' with default 'ubuntu-latest' - Updated 'create-matrix' job to use global runs-on input - Updated 'conclusion' job to use global runs-on input - Removed default 'ubuntu-latest' assignment from create-tf-vars-matrix action Single source of truth for runner configuration. Per-environment override still possible via environments-yml. Simplifies create-tf-vars-matrix action. All runner-related changes grouped together.
Prevent unnecessary operations when PR is being closed or converted to draft: - Updated validation summary step to skip when action is 'closed' or 'converted_to_draft' - Updated apply step to skip when action is 'closed' or 'converted_to_draft' - Updated destroy step to skip when action is 'closed' or 'converted_to_draft' Independent improvement to workflow logic that prevents wasted resources on PRs being closed. No dependencies on auto-merge feature.
Introduce new reusable action for capturing matrix job metadata. This standalone action collects metadata from matrix job execution, storing it as artifacts for use by downstream processes. It enables future metadata collection use cases without modifying the main workflow. Benefits: - Standalone action with no dependencies - Can be tested independently - Enables metadata-driven automation - Does not modify existing workflow (integration comes later)
Introduce new reusable action for evaluating PR auto-merge eligibility. This standalone action evaluates whether a pull request meets the criteria for automatic merging based on metadata from capture-matrix-job-meta and configurable limits (actors, plan counts, etc.). Benefits: - Standalone action with clear dependencies (metadata format from capture action) - Can be tested independently - Encapsulates complex eligibility logic - Does not modify existing workflow (integration comes later)
Introduce new reusable action for performing PR auto-merge. This standalone action handles the actual merge operation for pull requests that have been evaluated as eligible for automatic merging. It encapsulates the merge logic and GitHub API interactions. Benefits: - Standalone action with no dependencies - Can be tested independently - Encapsulates merge logic - Does not modify existing workflow (integration comes later)
Add configuration inputs for auto-merge behavior without activating it: - Added workflow inputs: pr-auto-merge-enabled, pr-auto-merge-from-actors-yml, pr-auto-merge-limits-yml - Added corresponding parsing/validation in create-tf-vars-matrix: - Included in YML_INPUTS and merge lists - Required and non-empty field validations for pr-auto-merge-* values Adds configuration infrastructure for auto-merge; feature integration comes later.
Activate auto-merge functionality by integrating new actions: - Capture matrix job metadata in terraform-ci-cd job (always, non-blocking) - Add automerge job gated on pr-auto-merge-enabled, PR event, non-closed/draft, and successful workflow - Download metadata artifacts, evaluate eligibility, mint GitHub App token, and perform auto-merge Completes integration of capture/evaluate/merge actions with configurable auto-merge inputs.
Laffs2k5
force-pushed
the
auto-merge-tidy-2
branch
from
3057d96 to
a3d9224
Compare
Replace hardcoded app-id and PRIVATE_KEY secret with two new workflow inputs: - pr-auto-merge-app-id: GitHub App ID (plain string) - pr-auto-merge-app-private-key-secret: name of the secret containing the private key The private key is resolved at runtime from toJSON(secrets), following the same pattern used by export-env-vars for extra-envs-from-secrets-yml. A validation step now runs first in the automerge job, failing early with a clear error if auto-merge is enabled but the required configuration is missing.
Laffs2k5
force-pushed
the
auto-merge-tidy-2
branch
from
c4ff28c to
664559a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces automated pull request merging capabilities for the terraform-ci-cd workflow. When enabled, PRs that meet configurable criteria (specific actors, change limits, successful workflow completion) can be automatically merged, reducing manual toil while maintaining safety guardrails.
✨ New Features
Auto-Merge Workflow Integration
A new
automergejob is added to the terraform-ci-cd workflow that:pr-auto-merge-enabled: trueThree New Reusable Actions
capture-matrix-job-metaevaluate-automerge-eligibilityauto-merge-prEach action is:
New Workflow Inputs for Auto-Merge Configuration
Configurable GitHub App Credentials
Auto-merge requires a GitHub App token with
contents: writeandpull-requests: writepermissions. Rather than hardcoding credentials, this PR introduces two new inputs that follow the establishedexport-env-vars/extra-envs-from-secrets-ymlpattern used elsewhere in this codebase:How it works:
pr-auto-merge-app-idis the numeric App ID, passed directly as a workflow input.pr-auto-merge-app-private-key-secretholds the name of a GitHub Actions secret (not the value itself). The actual private key is resolved at runtime from thetoJSON(secrets)context usingjq, the same wayexport-env-varsresolves secret values from secret names. The resolved value is immediately masked via::add-mask::and passed as a step output using a random delimiter to safely handle multiline PEM keys.automergejob so that misconfiguration fails fast with a clear error message before any other work is attempted.secrets: inheritso the secret is available for resolution.Example consumer usage:
This design ensures:
🛠️ Improvements
Global Runner Configuration
runs-onworkflow input with defaultubuntu-latestenvironments-ymlcreate-tf-vars-matrixactionSkip Operations on Closed/Draft PRs
Workflow now skips expensive operations when:
closedconverted_to_draftAffected steps: validation summary, terraform apply, terraform destroy. This prevents wasted compute on PRs that are no longer active.
📝 Documentation & Code Quality
Fixed Typos and Incorrect References
passe→passed(secrets comment)triggerd→triggered(add-pr-comment description)woraround→workaround(setup-terraform comment)goals-ymlreferences to correct field namesImproved Documentation
terraform-versiontflint-versionformat-check-in-root-diradd-pr-commentCode Organization
create-tf-vars-matrixfor maintainability:YML_INPUTSMERGE_INPUT_YML_FIELDSREQ_FIELDSNOT_EMPTY_FIELDS🔄 How Auto-Merge Works
flowchart TD A[PR Event] --> B[create-matrix job] B --> C[terraform-ci-cd job] C --> D[Capture metadata<br/>for each matrix env] D --> E[conclusion job] E --> F{Conclusion<br/>succeeded?} F -->|No| G[❌ Workflow ends<br/>no auto-merge] F -->|Yes| H{Auto-merge<br/>enabled?} H -->|No| I[✅ Workflow ends<br/>auto-merge disabled] H -->|Yes| J{PR event &<br/>not closed/draft?} J -->|No| I J -->|Yes| K[automerge job starts] K --> L[🔐 Validate credentials config] L --> M[📥 Download metadata artifacts] M --> N[🔍 Evaluate eligibility:<br/>• Actor allowed?<br/>• Plan within limits?] N --> O{Eligible?} O -->|No| P[📋 Log reason & skip] O -->|Yes| Q[🔑 Resolve app private key<br/>from secrets context] Q --> R[🎫 Create GitHub App token] R --> S[🤖 Perform auto-merge]Job Execution Order
create-matrixterraform-ci-cdconclusionautomergepr-auto-merge-enabled✓ AND PR event ✓ AND not closed/draft ✓Eligibility Criteria
Within the
automergejob, a PR is eligible for auto-merge when:pr-auto-merge-from-actors-yml)pr-auto-merge-limits-yml)Automerge Job Step Sequence
pr-auto-merge-app-idorpr-auto-merge-app-private-key-secretis missingis-eligibleis-eligible == 'true'toJSON(secrets)by name, mask itis-eligible == 'true'is-eligible == 'true'gh pr merge --admin --rebase --delete-branch📋 Commits (Logical Grouping)
Preparatory Refactoring
Infrastructure Improvements
New Actions (Standalone, Testable)
Feature Integration
export-env-varspattern🧪 Testing
run_all_tests.sh,run_local_step_*.sh)pr-auto-merge-enabledinput (default:false)debug: use dev tag in cicd wfcommit is temporary for testing and will be reverted before final merge