bug: admin merge pattern race condition allows unapproved auto-merges #83
Description
Bug
When performing an admin merge (disable enforce_admins → merge → re-enable), there is a race window where ANY PR with auto-merge enabled and green CI can merge without the required approval review.
Observed
PR #69 auto-merged at 18:11:48 on 2026-03-15 with zero approval reviews (only a Copilot COMMENTED review). This happened during the enforce_admins disable window while admin-merging PR #80.
Root Cause
Our admin merge pattern:
gh api repos/{owner}/{repo}/branches/main/protection/enforce_admins -X DELETE
gh pr merge N --merge --admin --delete-branch
gh api repos/{owner}/{repo}/branches/main/protection/enforce_admins -X POSTBetween DELETE and POST, admins bypass branch protection. GitHub's auto-merge runs as the admin user (microsasa), so it can satisfy the approval requirement during this window.
Impact
Any PR with:
- Auto-merge enabled ✅
- Green CI ✅
- No required approval ❌
...can slip through without review during the enforce_admins disable window.
Mitigation Options
- Disable auto-merge on all other PRs before doing admin merges
- Use a non-admin service account for auto-merge
- Use a GitHub App with limited permissions instead of admin PATs
- Script the admin merge to be atomic (minimize the window)
Related
- PR fix: inherit _FileChangeHandler from FileSystemEventHandler (#67) #69 — merged without approval due to this race condition
- PR fix: quality-gate accepts COMMENTED reviews from Copilot #80 — the admin merge that opened the window