fix(ci): fix guard condition and add auto-merge to bump-sha

[YiWang24]

两个问题

问题 1：Guard 跳过后续步骤后，Manage PRs 步骤仍然执行导致失败

原因：Manage PRs 步骤的条件只检查了 steps.push-branch.outputs.skip != 'true'。
当 Guard 检测到 bump commit 并设置 skip=true 后，push-branch 步骤不会执行，
其 outputs 为空字符串，"" != 'true' 为 true，导致步骤以空的 env vars 执行而失败。

修复：在条件中加入 steps.guard.outputs.skip != 'true'：

if: steps.guard.outputs.skip != 'true' && steps.push-branch.outputs.skip != 'true'

问题 2：Bump PR 创建后没有自动合并

原因：Workflow 只创建了 PR，没有自动合并逻辑。

修复：PR 创建后执行 gh pr merge --auto --squash，启用 auto-merge。
Bump commit 只修改 manifest.yml，且已在触发 workflow 的合并中测试过，
自动合并可以避免手动干预，同时遵守 branch protection 规则。

no-issue

---

^{Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.}

Greptile Summary

This PR fixes two issues in the on-main-bump-sha workflow: a guard condition bug where Manage PRs would run with empty env vars when the Guard step triggered a skip, and the absence of auto-merge logic for the bump PR. The guard fix and auto-merge addition are both correct in intent, but the condition update is incomplete.

• The Manage PRs condition now checks steps.guard.outputs.skip, correctly fixing the described bug, but it still omits steps.check.outputs.skip != 'true'. When check decides the SHA is already at HEAD, push-branch is skipped and its skip output becomes an empty string (not 'true'), so Manage PRs still executes with empty BRANCH, NEW_SHA, and OLD_SHA — potentially closing all existing bump PRs and deleting all bump branches unintentionally.
• The auto-merge block uses gh pr merge --auto --squash with a graceful || warning fallback, and the commit subject matches the guard's detection pattern so re-entrancy is correctly prevented.

Confidence Score: 3/5

The guard fix addresses the stated bug, but leaves an adjacent hole that can cause the Manage PRs step to run with empty variables, closing or deleting valid open bump PRs on every SHA-is-current run.

The condition on the Manage PRs step still lacks a steps.check.outputs.skip guard. Whenever the SHA is already at HEAD (a normal, recurring state), check outputs skip=true, push-branch is skipped, and its outputs are empty strings — making the remaining two guards insufficient. The step then runs against empty BRANCH, OLD_SHA, and NEW_SHA, and the JQ filter select(.headRefName != "") matches every existing bump PR, closing them all and deleting their branches.

.github/workflows/on-main-bump-sha.yml — specifically the Manage PRs step condition at line 159.

Important Files Changed

Filename	Overview
.github/workflows/on-main-bump-sha.yml	Guard condition fix correctly addresses the original bug, but the Manage PRs condition still lacks a steps.check.outputs.skip != 'true' guard; the auto-merge logic is otherwise well-structured with graceful fallback.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push to main] --> B[Guard step]
    B -- skip=true\nbump commit detected --> Z[End — skip all]
    B -- skip=false --> C[Check step\nSHA stale?]
    C -- skip=true\nSHA already at HEAD --> D{Manage PRs condition}
    C -- skip=false --> E[Run bump-self-sha.sh]
    E --> F[Push branch\nid: push-branch]
    F -- skip=true\nno files changed --> D
    F -- skip=false\nbranch pushed --> D
    D -- guard=false AND check=false AND push-branch.skip=false --> G[Manage PRs]
    D -- any skip=true --> Z2[End — skip]
    G --> H[gh pr create / reuse existing]
    H --> I[gh pr merge --auto --squash]
    I -- success --> J[Auto-merge enabled]
    I -- failure --> K[warning: repo may lack Allow auto-merge]

Loading

_{Reviews (1): Last reviewed commit: "fix(ci): fix guard condition and add aut..." | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[coderabbitai]

Warning

Review limit reached

@YiWang24, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 25 minutes and 57 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 91f9c4a5-b098-4851-8a24-7f99db3d1496

📥 Commits

Reviewing files that changed from the base of the PR and between d08e7cb and a8b8d10.

📒 Files selected for processing (1)

• .github/workflows/on-main-bump-sha.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/bump-sha-guard-and-automerge

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[openbot-dev]

Small, well-scoped improvement that adds a missing guard condition check and enables auto-merge on newly created bump PRs. One minor robustness note on URL parsing.

[greptile-apps]

Incomplete guard condition — check skip case still unprotected

The PR fixes the guard skip case, but the condition still doesn't include steps.check.outputs.skip != 'true'. When check determines the SHA is already at HEAD (or the manifest entry is missing), it sets skip=true and exits early, causing push-branch to be skipped entirely. A skipped step outputs an empty string for all its outputs, so steps.push-branch.outputs.skip becomes '' — and '' != 'true' is true — meaning Manage PRs still executes with BRANCH="", NEW_SHA="", and OLD_SHA="". Under set -euo pipefail, the select(.headRefName != "") filter matches every existing bump PR and closes them all, and the orphan-cleanup loop deletes every bump branch — damaging valid open PRs.

Suggested change

	if: steps.guard.outputs.skip != 'true' && steps.push-branch.outputs.skip != 'true'
	if: steps.guard.outputs.skip != 'true' && steps.check.outputs.skip != 'true' && steps.push-branch.outputs.skip != 'true'