From 9edec53465d786d514bc2ceeb8adb60f6788d4cf Mon Sep 17 00:00:00 2001 From: Sasa Junuzovic Date: Sun, 15 Mar 2026 11:16:25 -0700 Subject: [PATCH] =?UTF-8?q?docs:=20safe=20admin=20merge=20procedure=20?= =?UTF-8?q?=E2=80=94=20disable=20auto-merge=20first?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Document the race condition where disabling enforce_admins allows auto-merge PRs to merge without required approvals (issue #83). Updated the admin merge workaround with steps to disable/re-enable auto-merge on other PRs. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- docs/agentic-workflows.md | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/docs/agentic-workflows.md b/docs/agentic-workflows.md index efc9beb..5c5eab7 100644 --- a/docs/agentic-workflows.md +++ b/docs/agentic-workflows.md @@ -362,16 +362,28 @@ EOF With `enforce_admins: true` and 1 required approval, you can't merge your own PRs without an external approver. Workaround: ```bash -# Temporarily disable enforce_admins +# 1. FIRST: Disable auto-merge on all other open PRs (CRITICAL — race condition, see #83) +for pr in $(gh pr list --state open --json number,autoMergeRequest --jq '.[] | select(.autoMergeRequest != null) | .number'); do + gh pr merge --disable-auto "$pr" +done + +# 2. Temporarily disable enforce_admins gh api repos/OWNER/REPO/branches/main/protection/enforce_admins -X DELETE -# Admin merge +# 3. Admin merge gh pr merge --merge --admin --delete-branch -# Re-enable +# 4. Re-enable enforce_admins gh api repos/OWNER/REPO/branches/main/protection/enforce_admins -X POST + +# 5. Re-enable auto-merge on those PRs +for pr in ; do + gh pr merge --enable-auto --merge "$pr" +done ``` +> **Warning**: Skipping steps 1 and 5 allows any PR with auto-merge + green CI to merge without required approvals during the enforce_admins disable window. PR #69 merged with zero approvals due to this race condition (issue #83). + This is a known limitation for solo repos. Agent PRs don't need this — the quality gate approves them.