fix: re-enable Speakeasy auto-merge with GitHub App auth#489
Conversation
![perry-the-pr-reviewer[bot]](https://avatars.githubusercontent.com/in/3222961?s=60&v=4){kind=small}
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
christineschen
force-pushed
the
fix/auto-merge-resilience
branch
from
a6b90a8 to
2bbea42
Compare
christineschen
changed the title
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
Replace GH_TOKEN PAT (blocked by enterprise 366-day policy) with short-lived GH_DOCS_SYNC app tokens, matching openrouter-web #25517. Re-enables auto-merge disabled on main (SDK-466), retries branch_name log extraction, and passes run_started_at via resolve-branch job output.
christineschen
force-pushed
the
fix/auto-merge-resilience
branch
from
2bbea42 to
5f58e60
Compare
There was a problem hiding this comment.
Perry's Review
Re-enables the Speakeasy auto-merge automation by replacing the PAT (gh_token) with a GH_DOCS_SYNC GitHub App token across the auto-merge, agent-dispatch, and both SDK-generation workflows, and threads run_started_at through resolve-branch with a log-readiness retry loop.
Verdict: 💬 Comments / questions
Details
Risk: 🟡 Medium — CI/CD config only (Speakeasy regen automation); reversible by rollback, fast-detect via Actions, no committed secrets.
CI: all passing ✅
Findings (one standing item, already tracked inline — not re-posted):
- 🟡 The run_started_at API fallback in both generation workflows still uses a malformed gh invocation (the jq raw flag is swallowed as the jq expression, hard-failing the resolve-branch step under set -euo pipefail on exactly the empty-run_started_at fallback this PR adds). Two of my prior review threads at a6b90a8 flag this and remain unresolved — re-affirmed against this head; the offending lines are unchanged. Dropping that stray flag (the gh jq flag is already raw) fixes it; the repo's own state lookup nearby uses the correct form.
Verified at source:
- Both reusable-workflow callers updated in lockstep; resolve-branch job + output wiring correct; auto-merge consumes resolve-branch.outputs.run_started_at.
- GH_DOCS_SYNC_APP_ID / GH_DOCS_SYNC_APP_PRIVATE_KEY secret names consistent across all four workflows and the create-github-app-token@v3 step inputs; dispatch-agent-bump scopes the token to typescript-agent.
- Auto-merge body (PR resolution, supersede-close, squash/auto-merge, wait_for_checks) is a verbatim un-comment of the previously-disabled block, now driven by the App token; the contents:write / pull-requests:write permissions cover the merge/close operations.
Security: GitHub App credential handling (attacker class: supply-chain) — App ID + private key are referenced via secrets only; no literal credential added in the diff. Net improvement over the prior PAT.
Test coverage: N/A — GitHub Actions workflow config; exercised only by the live Speakeasy generate→merge pipeline.
Unresolved threads: 2 (both Perry-authored, same standing run_started_at fallback finding above).
Scope: incremental re-review (prior reviewed SHA on record; no diff snapshot) — standing finding re-affirmed, no net-new findings
Review: tier=medium · model=claude-opus-latest · score=4.8
1 participant
Summary
GH_TOKENfine-grained PAT with short-livedGH_DOCS_SYNCGitHub App tokens (actions/create-github-app-token@v3), matching openrouter-web #25517branch_nameextraction for up to 2 minutes while Generate job logs propagaterun_started_atthroughresolve-branchjob output (with API fallback)dispatch-agent-bump.yamlto the same app token for cross-repo dispatchPrerequisites
GH_DOCS_SYNC_APP_IDandGH_DOCS_SYNC_APP_PRIVATE_KEYadded totypescript-sdkrepo secrets (already exist in openrouter-web)GH_DOCS_SYNCapp has Contents + Pull requests write ontypescript-sdk, and dispatch access ontypescript-agentTest plan
mainresolve-branchlogsExtracted branch_name=... (attempt N)auto-mergeresolves and squash-merges the regen PR (not "auto-merge disabled")typescript-agent