require_last_push_approval blocked barrettruth from approving their
own push. Disabled that restriction in the ruleset — 1 approval is
still required for all PRs, but the approver can now be the pusher.
DIGEST_PAT (barrettruth) approves, CI runs via PAT push, auto-merge
fires when checks pass.
The GITHUB_TOKEN has admin-level bypass on the ruleset. When
gh pr merge --auto is called, the bypass satisfies the review
requirement automatically — no explicit approve step needed.
The self-review error is gone. PAT still handles the push so
CI triggers.
require_last_push_approval blocks barrettruth from approving their
own push. The bot (GITHUB_TOKEN) approves instead — different actor
from the PAT pusher, satisfying the rule.
Problem: actions/checkout sets an http.extraheader with GITHUB_TOKEN
that overrides any credentials in the remote URL, so git push uses
GITHUB_TOKEN regardless of the URL — suppressing CI triggers.
Solution: unset the extraheader before pushing, forcing git to use
the DIGEST_PAT embedded in the remote URL.
ci(digest): push branch with PAT so CI triggers
Problem: GITHUB_TOKEN suppresses all downstream workflow triggers
including push events, so CI never runs on the digest branch.
Solution: push with DIGEST_PAT (triggers CI as a real user push),
then reset the remote to GITHUB_TOKEN for PR creation. Admin bypass
on the ruleset handles the review requirement.
Problem: GITHUB_TOKEN-created PRs suppress pull_request triggers,
so CI never runs and auto-merge stalls.
Solution: add ci/upstream-digest to the push trigger in test and
quality workflows. CI runs on the branch push before the PR exists;
check results attach to the commit SHA so the PR sees them as
passing. The digest workflow reverts to GITHUB_TOKEN for PR
creation — no PAT needed, no contribution inflation.
Problem: GITHUB_TOKEN-created PRs suppress pull_request workflow
triggers, so CI never runs and auto-merge stalls indefinitely.
Solution: use DIGEST_PAT to create the PR. A PAT-created PR is
treated as a real user action, triggering CI normally. Auto-approve
handles the review requirement, auto-merge fires when checks pass.
Problem: the main branch ruleset requires 1 approving review, which
blocks auto-merge. The GITHUB_TOKEN cannot approve its own PR.
Solution: after creating the PR, approve it using DIGEST_PAT (a
fine-grained PAT stored as a repo secret), then enable auto-merge.
The approval comes from a different actor than the bot, satisfying
require_last_push_approval.
Problem: the workflow creates a new dated branch each run. If a digest
PR is not merged before the next run, duplicate PRs accumulate.
Solution: use a single canonical branch ci/upstream-digest with
--force push. Each run resets to main, applies any new items, and
force-pushes. If a PR is already open for the branch, GitHub updates
it in place. A new PR is only created (with auto-merge) when none
exists. The close-stale step is no longer needed.
Problem: if a digest PR is not merged before the next weekly run, a
second PR is created for the same items plus any new ones, leading
to duplicate open PRs.
Solution: before fetching upstream activity, close any open PRs
labeled upstream/digest (deleting their branches). The new run
re-fetches all items since the last merged baseline and produces a
single up-to-date PR.
Problem: new upstream issues and PRs slip through because there's no
mechanism to surface them — manual polling of stevearc/oil.nvim is
required and easy to forget.
Solution: add a Monday 9am UTC scheduled workflow that reads the
highest stevearc/oil.nvim number from doc/upstream.md, fetches merged
PRs and new open issues/PRs above that threshold via the gh CLI, and
creates a structured digest issue in barrettruth/canola.nvim. No issue
is created when there's nothing new. Falls back to a 30-day window if
doc/upstream.md can't be parsed.
