feat(ci): reusable auto-merge-on-green workflow

.github/workflows/auto-merge.yml

@@ -0,0 +1,53 @@
+# Auto-merge — enable GitHub's built-in auto-merge for authorized PRs
+#
+# Reusable workflow called by each repo's ci.yml. Enables SQUASH auto-merge
+# on the triggering PR, which tells GitHub to merge the PR automatically once
+# all required status checks pass (see org ruleset "Green Main" id 13878864).
+#
+# Escape hatches (no code change needed):
+#   - Open the PR as a draft       → auto-merge is not enabled
+#   - Apply the `hold` label       → auto-merge is skipped
+#   - Apply the `do-not-merge` label → auto-merge is skipped
+#
+# Caller pattern (per-repo ci.yml):
+#
+#   on:
+#     pull_request_target:
+#       types: [opened, reopened, synchronize, ready_for_review, labeled, unlabeled]
+#
+#   jobs:
+#     authorize:
+#       uses: paiml/.github/.github/workflows/pr-gate.yml@main
+#     auto-merge:
+#       needs: authorize
+#       uses: paiml/.github/.github/workflows/auto-merge.yml@main
+#
+# Prerequisites per repo:
+#   - `allow_auto_merge: true` in repo settings (gh api -X PATCH repos/OWNER/REPO -f allow_auto_merge=true)
+#   - At least one required status check (enforced fleet-wide by org ruleset `gate`)
+
+name: Auto-merge
+
+on:
+  workflow_call:
+
+jobs:
+  enable:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    if: |
+      github.event_name == 'pull_request_target' &&
+      github.event.pull_request.draft == false &&
+      !contains(github.event.pull_request.labels.*.name, 'hold') &&
+      !contains(github.event.pull_request.labels.*.name, 'do-not-merge')
+    steps:
+      - name: Enable squash auto-merge
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          # Idempotent: if auto-merge is already enabled, gh exits cleanly.
+          gh pr merge "$PR_NUMBER" --auto --squash

.github/workflows/ci.yml

@@ -0,0 +1,47 @@
+# CI for paiml/.github itself — lints reusable workflows so a broken YAML
+# or a config mismatch can't ship to the fleet.
+#
+# This workflow also produces the `gate` status check required by the org
+# ruleset "Green Main" (id 13878864). Without this, every PR to this repo
+# would be mergeStateStatus=BLOCKED and require an admin bypass.
+
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - name: Run actionlint
+        uses: raven-actions/actionlint@3a24062651993d40fed1019b58ac6fbdfbf276cc # v2.0.1
+        with:
+          matcher: true
+          fail-on-error: true
+      - name: Install yamllint
+        run: pip install --quiet yamllint
+      - name: yamllint (relaxed)
+        run: yamllint -d relaxed .github/workflows/
+
+  gate:
+    name: gate
+    needs: [lint]
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check required jobs
+        run: |
+          if [ "${{ needs.lint.result }}" != "success" ]; then
+            echo "lint failed (result: ${{ needs.lint.result }})"
+            exit 1
+          fi
+          echo "gate passed"

.github/workflows/sovereign-ci.yml

@@ -70,7 +70,7 @@ jobs:
     name: test
     runs-on: [self-hosted, clean-room]
     container:
-      image: localhost:5000/sovereign-ci:stable@sha256:c23c453328df86562ba69410810180d205490c6b202342972f65af7050db6686
+      image: localhost:5000/sovereign-ci:stable@sha256:dd219db7e10568f56aad0597367af1ba1b011d1a0d1c5c5e97b550501a3e014f
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -170,7 +170,7 @@ jobs:
     name: lint
     runs-on: [self-hosted, clean-room]
     container:
-      image: localhost:5000/sovereign-ci:stable@sha256:c23c453328df86562ba69410810180d205490c6b202342972f65af7050db6686
+      image: localhost:5000/sovereign-ci:stable@sha256:dd219db7e10568f56aad0597367af1ba1b011d1a0d1c5c5e97b550501a3e014f
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -273,7 +273,7 @@ jobs:
     if: ${{ !inputs.skip_coverage }}
     runs-on: [self-hosted, clean-room]
     container:
-      image: localhost:5000/sovereign-ci:stable@sha256:c23c453328df86562ba69410810180d205490c6b202342972f65af7050db6686
+      image: localhost:5000/sovereign-ci:stable@sha256:dd219db7e10568f56aad0597367af1ba1b011d1a0d1c5c5e97b550501a3e014f
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -371,7 +371,7 @@ jobs:
     if: ${{ inputs.run_benchmarks }}
     runs-on: [self-hosted, clean-room]
     container:
-      image: localhost:5000/sovereign-ci:stable@sha256:c23c453328df86562ba69410810180d205490c6b202342972f65af7050db6686
+      image: localhost:5000/sovereign-ci:stable@sha256:dd219db7e10568f56aad0597367af1ba1b011d1a0d1c5c5e97b550501a3e014f
     timeout-minutes: 60
     continue-on-error: true
     steps: