urunc-dev · cmainas · Apr 29, 2026
diff --git a/.github/workflows/add-git-trailers.yml b/.github/workflows/add-git-trailers.yml
@@ -1,47 +1,38 @@
 name: Add Git Trailers to PR commits
 
 on:
-  workflow_call:
-    secrets:
-      GIT_CLONE_PAT:
-        required: false
-      URUNC_BOT_PRIVATE_KEY:
-        required: true
+  pull_request_review:
+    types: [submitted]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 permissions:
   contents: read
 
 jobs:
   git-trailers:
     name: Add Git Trailers
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - arch: amd64
-            runner: ubuntu-22.04
-    continue-on-error: true
-    permissions:
-      contents: write
-      pull-requests: write
+    if: >-
+      github.event.pull_request.base.ref == 'main' &&
+      github.event.review.state == 'approved' &&
+      github.event.pull_request.rebaseable != false
+    runs-on: ubuntu-22.04
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
-      - name: Exit if PR is not rebaseable
-        if: ${{ github.event.pull_request.rebaseable != null && github.event.pull_request.rebaseable == false }}
-        run: exit 1
-
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Append git trailers
-        uses: nubificus/git-trailers@8e08c91bb4c1fd9cb1ccbd9cc8029c31acf8da66 # feat_use_rebase
+        uses: nubificus/git-trailers@e3cefe03237a8a33f12ee41a8194bfb03a4d179b # fix_auto_merge
         with:
           user_info: .github/contributors.yaml
 
@@ -52,20 +43,9 @@ jobs:
           app-id: ${{ vars.URUNC_BOT_APP_ID }}
           private-key: ${{ secrets.URUNC_BOT_PRIVATE_KEY }}
 
-      - name: Set up Git
-        run: |
-          git config --global user.name "urunc-bot[bot]"
-          git config --global user.email "urunc-bot[bot]@users.noreply.github.com"
-
-      - name: Append git trailers
-        uses: nubificus/git-trailers@18fd322f3fbfd505b4de728974a4ac1f32f758a7 # feat_auto_merge
-        with:
-          user_info: .github/contributors.yaml
-
       - name: Merge PR
         env:
           GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
         run: |
-          PR_URL=${{ github.event.pull_request.html_url }}
-
           gh pr merge "$PR_URL" --rebase --admin
diff --git a/.github/workflows/pr-merge.yml b/.github/workflows/pr-merge.yml
@@ -4,6 +4,8 @@ on:
   pull_request_target:
     types:
       - closed
+    branches:
+      - 'main-pr*'
 
 permissions:
   contents: read
@@ -23,11 +25,6 @@ jobs:
         with:
           egress-policy: audit
 
-      - name: Set up Git
-        run: |
-          git config --global user.name "urunc-bot[bot]"
-          git config --global user.email "urunc-bot[bot]@users.noreply.github.com"
-
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -42,21 +39,33 @@ jobs:
           private-key: ${{ secrets.URUNC_BOT_PRIVATE_KEY }}
 
       - name: Append git trailers
-        uses: nubificus/git-trailers@18fd322f3fbfd505b4de728974a4ac1f32f758a7 # feat_auto_merge
+        uses: nubificus/git-trailers@e3cefe03237a8a33f12ee41a8194bfb03a4d179b # fix_auto_merge
         with:
           user_info: .github/contributors.yaml
 
       - name: Create a Pull Request from PR_BRANCH to main and merge it
         env:
           GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+          PR_BRANCH: ${{ github.event.pull_request.base.ref }}
         run: |
-          PR_BRANCH=${{ github.event.pull_request.base.ref }}
-
+          PR_NUMBER=${PR_BRANCH#main-pr}
+
+          # Use GitHub's API to get issues referenced with closing keywords
+          CLOSING_ISSUES=$(gh pr view "$PR_NUMBER" --json closingIssuesReferences \
+            --jq '.closingIssuesReferences[].number' || true)
+
+          BODY="This PR was automatically created by GitHub Actions to merge changes from $PR_BRANCH into main."
+          if [ -n "$CLOSING_ISSUES" ]; then
+            while IFS= read -r issue; do
+              BODY="$BODY"$'\n'"Closes #$issue"
+            done <<< "$CLOSING_ISSUES"
+          fi
+
           # Create the pull request
           PR_URL=$(gh pr create \
             --head "$PR_BRANCH" \
             --base main \
             --title "Merge External PR: Merge $PR_BRANCH into main" \
-            --body "This PR was automatically created by GitHub Actions to merge changes from $PR_BRANCH into main.")
+            --body "$BODY")
 
           gh pr merge "$PR_URL" --rebase --admin --delete-branch
diff --git a/.github/workflows/pr-trailers.yml b/.github/workflows/pr-trailers.yml