MarkusNeusinger · MarkusNeusinger · Apr 29, 2026 · Apr 29, 2026 · Copilot · Apr 29, 2026
diff --git a/.github/workflows/impl-merge.yml b/.github/workflows/impl-merge.yml
@@ -191,9 +191,16 @@ jobs:
             gh pr update-branch "$PR_NUM" --repo "$REPOSITORY" 2>/dev/null || true
             sleep 2
 
+            # --admin bypasses the branch ruleset's required-status-check
+            # gate. Required because impl-generate.yml pushes via GITHUB_TOKEN,
+            # which by GitHub's anti-recursion design does not trigger
+            # downstream CI workflows (Run Linting / Run Tests / Run Frontend
+            # Tests), so impl PRs never get those checks. The pipeline already
+            # gates merge behind the AI quality review threshold.
             if gh pr merge "$PR_NUM" \
               --repo "$REPOSITORY" \
               --squash \
+              --admin \
-            # --admin bypasses the branch ruleset's required-status-check
-            # gate. Required because impl-generate.yml pushes via GITHUB_TOKEN,
-            # which by GitHub's anti-recursion design does not trigger
-            # downstream CI workflows (Run Linting / Run Tests / Run Frontend
-            # Tests), so impl PRs never get those checks. The pipeline already
-            # gates merge behind the AI quality review threshold.
-            if gh pr merge "$PR_NUM" \
-              --repo "$REPOSITORY" \
-              --squash \
-              --admin \
+            # Do not bypass branch protection rules. Only merge when the PR's
+            # checks are successful so required status checks remain enforced.
+            if ! gh pr checks "$PR_NUM" --repo "$REPOSITORY"; then
+              echo "::warning::Required PR checks are not passing yet; merge will be retried."
+            elif gh pr merge "$PR_NUM" \
+              --repo "$REPOSITORY" \
+              --squash \
-            # --admin bypasses the branch ruleset's required-status-check
-            # gate. Required because impl-generate.yml pushes via GITHUB_TOKEN,
-            # which by GitHub's anti-recursion design does not trigger
-            # downstream CI workflows (Run Linting / Run Tests / Run Frontend
-            # Tests), so impl PRs never get those checks. The pipeline already
-            # gates merge behind the AI quality review threshold.
-            if gh pr merge "$PR_NUM" \
-              --repo "$REPOSITORY" \
-              --squash \
-              --admin \
+            # Do not bypass branch protection rules. Only merge when the PR's
+            # checks are successful so required status checks remain enforced.
+            if ! gh pr checks "$PR_NUM" --repo "$REPOSITORY"; then
+              echo "::warning::Required PR checks are not passing yet; merge will be retried."
+            elif gh pr merge "$PR_NUM" \
+              --repo "$REPOSITORY" \
+              --squash \
               --delete-branch; then
               echo "::notice::Merge successful on attempt $attempt"
               exit 0