ci: add PR merge guidance workflow

[Pouyanpi]

Summary

Adds a PR guidance workflow that comments on non-draft PRs when contributor-actionable merge blockers are detected:

• unverified commit signatures
• merge conflicts requiring a rebase

The workflow updates one bot comment, deletes it when no guidance is needed, skips draft PRs, and skips PRs created before April 1, 2026.

Automatic runs remain disabled unless PR_MERGE_GUIDANCE_ENABLED=true is set.

Testing

Tested on fork PR Pouyanpi#32:

• dry-run produced the expected unsigned-commit guidance
• live run created the expected GitHub Actions bot comment
• draft PR dry-run skipped as expected
• local YAML parse and git diff --check passed

Summary by CodeRabbit

• New Features
  • Pull requests now receive automated guidance comments identifying merge conflicts and unverified commits.
  • Guidance comments automatically update or remove as PR status changes.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds a new GitHub Actions workflow that automatically manages merge guidance comments on pull requests. The workflow monitors PR lifecycle events and pushes to main/develop branches, then posts warnings about merge conflicts or unverified commits to affected PRs with dry-run support by default.

Changes

PR Merge Guidance Workflow

Layer / File(s)	Summary
Workflow triggers and configuration .github/workflows/pr-merge-guidance.yml	Defines event triggers for PR lifecycle changes and pushes to main/develop, sets up job permissions, concurrency groups, and environment variables for the script runtime.
PR discovery and routing .github/workflows/pr-merge-guidance.yml	Determines target PR(s) from workflow_dispatch input or by querying open PRs for the base branch on push events; fails gracefully when neither is available.
Comment and PR state helpers .github/workflows/pr-merge-guidance.yml	GraphQL helper for fetching PR state with automatic retry when mergeability is unresolved; helpers to locate and delete existing bot comments by marker prefix.
Main PR processing and comment management .github/workflows/pr-merge-guidance.yml	Core per-PR logic: enforces creation-date cutoff, clears guidance for drafts, detects merge conflicts and unverified commits, and creates/updates/deletes comments with dry-run support.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 6

✅ Passed checks (6 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: add PR merge guidance workflow' directly and clearly describes the main change: introducing a new GitHub Actions workflow for PR merge guidance.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Test Results For Major Changes	✅ Passed	PR adds a GitHub Actions workflow (infrastructure change), not a major feature/application change; testing documentation exists in PR objectives.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pouyanpi/github-actions-gpg-comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/pr-merge-guidance.yml (2)

65-67: ⚡ Quick win

Consider wrapping individual PR processing in try-catch to avoid skipping remaining PRs.

If processPullRequest throws for one PR (e.g., transient API error), the loop exits and subsequent PRs are not processed. For push events that may affect many open PRs, this could leave some without guidance.

🛡️ Proposed fix to add error handling

              for (const openPullRequest of openPullRequests) {
-               await processPullRequest(openPullRequest.number);
+               try {
+                 await processPullRequest(openPullRequest.number);
+               } catch (error) {
+                 core.warning(`Failed to process PR #${openPullRequest.number}: ${error.message}`);
+               }
              }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-merge-guidance.yml around lines 65 - 67, The loop over
openPullRequests should not abort on a single failure: wrap the await
processPullRequest(openPullRequest.number) call in a try-catch inside the for
loop so each PR is processed independently; on error catch the exception, log a
descriptive message including the openPullRequest.number and error details (or
record failure) and continue to the next PR, ensuring transient API errors or
one bad PR don’t prevent processing of remaining PRs.

---

37-37: 💤 Low value

Pin actions/github-script to a commit SHA (supply-chain security)

.github/workflows/pr-merge-guidance.yml line 37 uses actions/github-script@v9 (mutable tag); pin it to a specific commit SHA such as 3a2844b7e9c422d3c10d287c895573f7108da1b3 (v9.0.0) to avoid unexpected changes.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/pr-merge-guidance.yml at line 37, Replace the mutable
action reference "actions/github-script@v9" with a pinned commit SHA to prevent
supply-chain changes; update the use of actions/github-script in the workflow
(the line that currently references actions/github-script@v9) to the specific
commit SHA (for example 3a2844b7e9c422d3c10d287c895573f7108da1b3) so the
workflow uses an immutable reference.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/pr-merge-guidance.yml:
- Around line 65-67: The loop over openPullRequests should not abort on a single
failure: wrap the await processPullRequest(openPullRequest.number) call in a
try-catch inside the for loop so each PR is processed independently; on error
catch the exception, log a descriptive message including the
openPullRequest.number and error details (or record failure) and continue to the
next PR, ensuring transient API errors or one bad PR don’t prevent processing of
remaining PRs.
- Line 37: Replace the mutable action reference "actions/github-script@v9" with
a pinned commit SHA to prevent supply-chain changes; update the use of
actions/github-script in the workflow (the line that currently references
actions/github-script@v9) to the specific commit SHA (for example
3a2844b7e9c422d3c10d287c895573f7108da1b3) so the workflow uses an immutable
reference.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c362686c-df22-437f-8281-8b9beb3f6057

📥 Commits

Reviewing files that changed from the base of the PR and between 8082e74 and 29bd21e.

📒 Files selected for processing (1)

• .github/workflows/pr-merge-guidance.yml

[greptile-apps]

Greptile Summary

This PR adds a new GitHub Actions workflow (pr-merge-guidance.yml) that automatically comments on non-draft PRs when contributor-actionable merge blockers are detected (unverified commit signatures or merge conflicts), and cleans up the comment when blockers are resolved.

• The workflow is triggered by pull_request_target events, pushes to main/develop, and workflow_dispatch; automatic execution is opt-in via PR_MERGE_GUIDANCE_ENABLED=true.
• Error isolation (per-PR try/catch in batch mode), comment-search ordering (after cutoff check), and UNKNOWN-mergeable logging are all correctly implemented in this version.
• The pull_request_target trigger is used intentionally to support fork PRs with write-access commenting, and no PR branch code is checked out, keeping the current implementation safe.

Confidence Score: 5/5

The workflow is safe to merge; all previously identified issues are resolved and the implementation correctly handles edge cases.

The workflow is well-structured: error isolation in batch mode, correct ordering of the date-cutoff and comment-lookup checks, retry logic with an explicit warning on unresolved UNKNOWN mergeable state, and idempotent comment management (create/update/delete). The only standing concern is the inherent latent risk of pull_request_target with write permissions, which is safe in the current implementation but would become dangerous if a checkout of PR code were ever added.

pr-merge-guidance.yml — the pull_request_target trigger with write-access token warrants a maintenance comment so future contributors know not to add a PR-branch checkout step.

Important Files Changed

Filename	Overview
.github/workflows/pr-merge-guidance.yml	New GitHub Actions workflow that detects unverified commits and merge conflicts on non-draft PRs and posts/updates/removes a single bot guidance comment; previous review concerns (error isolation, comment ordering, UNKNOWN-state logging) are all addressed in the current diff.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A([Trigger]) --> B{Event type?}
    B -- pull_request_target --> C[PR_NUMBER set]
    B -- push to main/develop --> D[BASE_BRANCH set]
    B -- workflow_dispatch --> E[pr_number input]
    C --> F[processPullRequest PR_NUMBER]
    E --> F
    D --> G[Paginate open PRs on branch]
    G --> H{For each PR}
    H -- try --> F
    H -- catch --> I[core.warning + continue]
    F --> J[REST: get PR metadata]
    J --> K{PR open?}
    K -- No --> L[Skip]
    K -- Yes --> M{PR created before cutoff?}
    M -- Yes --> L
    M -- No --> N[findExistingComment]
    N --> O{PR is draft?}
    O -- Yes --> P[deleteExistingComment]
    O -- No --> Q[getPullRequestState with retries]
    Q --> R[listCommits]
    R --> S{Conflict or unverified commits?}
    S -- None --> T[deleteExistingComment]
    S -- Found --> U{Existing comment?}
    U -- Yes, body changed --> V[updateComment]
    U -- Yes, same body --> W[No-op]
    U -- No --> X[createComment]

Loading

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
.github/workflows/pr-merge-guidance.yml:3-5
**`pull_request_target` with write permissions — safe today, fragile by design**

This workflow uses `pull_request_target` (which runs in the base-branch context with the full `GITHUB_TOKEN`) alongside `issues: write` and `pull-requests: write`. The current implementation is safe because no PR branch code is checked out or executed. However, `pull_request_target` + write permissions is one of GitHub's most commonly cited high-risk patterns: any future change that adds an `actions/checkout` step pointing at `github.event.pull_request.head.sha` would immediately create a token-exfiltration vector for malicious fork PRs. A prominent comment in the workflow (or a dedicated step guard) warning future contributors not to checkout PR code here would make this constraint explicit and durable.

_{Reviews (3): Last reviewed commit: "apply review suggestions" | Re-trigger Greptile}

[Pouyanpi]

@claude review