Files
Gitea-Tools/skills/llm-project-workflow/templates/merge-pr.md
T
sysadminandClaude Opus 4.8 fd2bc018ff fix: guard remote/repo mismatch vs local git remote (Closes #530)
Bare remote=prgs resolved to the hardcoded REMOTES default
Scaled-Tech-Consulting/Timesheet instead of the Gitea-Tools repository
the local git remote points at, causing false 404s and risking mutation
of a different repository.

Add remote_repo_guard.assess_remote_repo_match (pure) + formatter, wired
into gitea_mcp_server._resolve so every read/lookup/mutation tool fails
closed when the MCP-resolved org/repo disagrees with the local git remote
URL and the caller did not pass explicit org/repo. The guard is
best-effort: it skips when both org and repo are explicit, when the local
remote URL is unavailable, and is bypassed under pytest unless
GITEA_FORCE_REMOTE_REPO_CHECK is set.

Add tests/test_remote_repo_guard.py (pure-function cases + server wiring
proving a lookup tool cannot silently query a different repository), and
update author/reviewer/merger handoff templates to require explicit
remote/org/repo.

Closes #530

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-08 15:49:31 -04:00

4.3 KiB

Template: merge a PR (eligible reviewer only)

Copy, fill the <...> fields, and paste as the task prompt.

Task: merge PR #<pr> for issue #<n> if it is eligible and checks pass.

Load the canonical workflow first:
`skills/llm-project-workflow/workflows/review-merge-pr.md` (task mode: review-merge-pr).
Final report schema: `schemas/review-merge-final-report.md`.

Rules (llm-project-workflow):
- Repository targeting (#530): pass explicit `remote=`, `org=`, and `repo=` on
  every gitea-tools call (e.g. `remote=prgs org=Scaled-Tech-Consulting
  repo=Gitea-Tools`). A bare `remote=prgs` can resolve to the wrong default repo
  and is blocked when it disagrees with the local git remote URL.
- Only an eligible, NON-author reviewer merges. If authenticated user == PR
  author → STOP.
- Do not merge unless the PR is open, mergeable, and its checks/review pass.
- No force-merge, no bypassing branch protections.
- If the PR is closed but `merged=false`, STOP and run reconciliation. Do not clean up.

Steps:
1. Identity Checklist: Before claiming/working on merge, verify and state:
   - Required identity/profile for this task: merger (allowed to merge PRs)
   - Current authenticated identity (from whoami): <username>
   - Target task role: merger identity (must NOT be the PR author)
   *If the current identity does not match the required role (or is the PR author), STOP. Relaunch/switch to the correct profile first.*
2. Verify authenticated identity + active profile.
3. Confirm PR #<pr>: author (not you), state open, mergeable, review approved. Check if PR body uses `Closes #N` or `Fixes #N`; if it uses `Implements #N` or `Refs #N`, manual closing will be needed in step 29.
4. Capability evidence (#179): cite the exact gitea_resolve_task_capability
   output (or runtime context) proving merge_pr is allowed — a bare
   "capability checks passed" claim is downgraded.
5. Final live-state recheck (#179), immediately before the merge mutation —
   re-read the live PR and prove:
   - PR still open
   - live head SHA still equals the pinned/reviewed head SHA
   - base branch unchanged
   - no undismissed REQUEST_CHANGES / blocking review state remains
   If any recheck fails → STOP, re-pin, re-validate.
6. If any gate fails → STOP and report.
7. Merge with explicit confirmation (e.g. confirmation="MERGE PR <pr>"),
   pinning the reviewed head SHA (expected_head_sha) and, where supported,
   the changed-file set.
8. Confirm remote master now contains the merge commit (or the expected changes if squash merged).
   *Note: Gitea PR "closed" state is NOT equivalent to "merged". Do not assume a closed PR succeeded without verifying the actual landed changes.*

Post-merge cleanup (#517): merger sessions must NOT perform ad hoc cleanup.
- Record merge mutations separately from cleanup mutations in the controller handoff.
- Hand cleanup to a `prgs-reconciler` session — never raw `git branch -d`,
  `git push --delete`, curl/API comment deletion, or local scripts.
- Reconciler cleanup must cite authorized MCP tools
  (`gitea_reconcile_merged_cleanups`, `gitea_cleanup_post_merge_moot_lease`,
  `gitea_delete_branch`, etc.) plus `gitea.branch.delete` capability proof.

Then run the cleanup template (worktree-cleanup.md) in a reconciler session:
- Verify expected file/commit presence on master (post-merge file-presence verification):
  - Run: git fetch <remote> --prune; git checkout master; git pull <remote> master --ff-only
  - Verify that the expected files added/modified in the PR are present on master (or absent if deleted).
  - Alternatively, verify with: git log --oneline -- <expected-file> or git merge-base --is-ancestor <pr-head-sha> master
- close/release issue #<n>, remove status:in-progress (if it cannot be removed, report why)
- delete remote branch, remove local branch + worktree folder
- fetch/prune; confirm main checkout is clean and current (0 0).

Handoff: end with a section titled exactly `Controller Handoff` per SKILL.md
§K (long form — a merge is always high-risk), including the review/merge role
fields (Selected PR, Reviewer eligibility, Pinned reviewed head, Review
decision, Merge result, Linked issue status, Cleanup status) plus: merge
commit, PR metadata state/merged flag/hash, remote master hash, and the
post-merge verification method used & verification results. Reports missing
the handoff are downgraded (review_proofs.assess_controller_handoff).