Context
The Phase 2 CI/release infrastructure rollout added CI workflows, release config, AGENTS, RELEASES, and pre-commit configuration to all 15 Framework-R-D/action-* repositories. Two items were explicitly deferred to follow-on work:
Deferred items
1. Branch protection rules
Each action repo's main branch should have branch protection configured:
- Require PR before merging
- Require status checks to pass (
actionlint, yaml-check, markdown-check, codeql)
- Dismiss stale reviews on push
- For
action-generate-build-matrix: also require python-check and python-test
This must be done via the GitHub settings UI or the API (gh api repos/Framework-R-D/action-NAME/branches/main/protection --method PUT ...) for each of the 15 repos.
2. Dependabot auto-merge workflow
A dependabot-auto-merge.yaml workflow would auto-merge passing dependabot PRs without manual review. This requires branch protection (item 1) to be in place first, so that the merge only occurs after CI passes.
The @phlexbot auto-merge infrastructure used in the phlex main repo can serve as a reference.
Repositories affected
All 15 action-* repos:
build-cmake, collect-format-results, complete-pr-comment, configure-cmake,
detect-act-env, detect-relevant-changes, generate-build-matrix, get-pr-info,
handle-fix-commit, post-clang-tidy-results, prepare-check-outputs,
prepare-fix-outputs, run-change-detection, setup-build-env, workflow-setup
Notes
From the plan decisions: "dependabot-auto-merge.yaml not added: auto-merge requires branch protection rules to be configured per repo. This is an optional follow-on; defer to a separate issue."
Context
The Phase 2 CI/release infrastructure rollout added CI workflows, release config, AGENTS, RELEASES, and pre-commit configuration to all 15
Framework-R-D/action-*repositories. Two items were explicitly deferred to follow-on work:Deferred items
1. Branch protection rules
Each action repo's
mainbranch should have branch protection configured:actionlint,yaml-check,markdown-check,codeql)action-generate-build-matrix: also requirepython-checkandpython-testThis must be done via the GitHub settings UI or the API (
gh api repos/Framework-R-D/action-NAME/branches/main/protection --method PUT ...) for each of the 15 repos.2. Dependabot auto-merge workflow
A
dependabot-auto-merge.yamlworkflow would auto-merge passing dependabot PRs without manual review. This requires branch protection (item 1) to be in place first, so that the merge only occurs after CI passes.The
@phlexbotauto-merge infrastructure used in the phlex main repo can serve as a reference.Repositories affected
All 15
action-*repos:build-cmake,collect-format-results,complete-pr-comment,configure-cmake,detect-act-env,detect-relevant-changes,generate-build-matrix,get-pr-info,handle-fix-commit,post-clang-tidy-results,prepare-check-outputs,prepare-fix-outputs,run-change-detection,setup-build-env,workflow-setupNotes
From the plan decisions: "dependabot-auto-merge.yaml not added: auto-merge requires branch protection rules to be configured per repo. This is an optional follow-on; defer to a separate issue."