Hopefully final check

.github/workflows/add-git-trailers.yml

@@ -1,29 +1,25 @@
 name: Add Git Trailers to PR commits
 
 on:
-  workflow_call:
-    secrets:
-      GIT_CLONE_PAT:
-        required: false
-      URUNC_BOT_PRIVATE_KEY:
-        required: true
+  pull_request_review:
+    types: [submitted]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 permissions:
   contents: read
 
 jobs:
   git-trailers:
     name: Add Git Trailers
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      matrix:
-        include:
-          - arch: amd64
-            runner: ubuntu-22.04
-    continue-on-error: true
+    if: >-
+      github.event.pull_request.base.ref == 'main' &&
+      github.event.review.state == 'approved'
+    runs-on: ubuntu-22.04
     permissions:
       contents: write
-      pull-requests: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
@@ -40,32 +36,23 @@ jobs:
           fetch-depth: 0
           ref: ${{ github.event.pull_request.head.sha }}
 
-      - name: Append git trailers
-        uses: nubificus/git-trailers@8e08c91bb4c1fd9cb1ccbd9cc8029c31acf8da66 # feat_use_rebase
-        with:
-          user_info: .github/contributors.yaml
-
       - name: Generate urunc-bot token
         id: generate-token
         uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         with:
           app-id: ${{ vars.URUNC_BOT_APP_ID }}
           private-key: ${{ secrets.URUNC_BOT_PRIVATE_KEY }}
 
-      - name: Set up Git
-        run: |
-          git config --global user.name "urunc-bot[bot]"
-          git config --global user.email "urunc-bot[bot]@users.noreply.github.com"
-
       - name: Append git trailers
-        uses: nubificus/git-trailers@18fd322f3fbfd505b4de728974a4ac1f32f758a7 # feat_auto_merge
+        uses: nubificus/git-trailers@1d1595aacfd9239ae69d773cb895606daa17e538
         with:
-          user_info: .github/contributors.yaml
+          token: ${{ steps.generate-token.outputs.token }}
+          user-info: .github/contributors.yaml
 
       - name: Merge PR
         env:
           GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
         run: |
-          PR_URL=${{ github.event.pull_request.html_url }}
-
+          sleep 5 # Wait for github to get updated with the push. Otherwise merge will fail
           gh pr merge "$PR_URL" --rebase --admin

.github/workflows/pr-merge.yml

@@ -4,29 +4,28 @@ on:
   pull_request_target:
     types:
       - closed
+    branches:
+      - 'main-pr*'
 
 permissions:
   contents: read
 
 jobs:
   add-trailers-and-merge:
     if: |
-      github.event.pull_request.merged == true &&
-      startsWith(github.event.pull_request.base.ref, 'main-pr')
+      github.event.pull_request.merged == true
     runs-on: ubuntu-latest
     permissions:
       contents: write
-
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
-      - name: Set up Git
-        run: |
-          git config --global user.name "urunc-bot[bot]"
-          git config --global user.email "urunc-bot[bot]@users.noreply.github.com"
+      - name: Exit if PR is not rebaseable
+        if: ${{ github.event.pull_request.rebaseable != null && github.event.pull_request.rebaseable == false }}
+        run: exit 1
 
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -42,16 +41,18 @@ jobs:
           private-key: ${{ secrets.URUNC_BOT_PRIVATE_KEY }}
 
       - name: Append git trailers
-        uses: nubificus/git-trailers@18fd322f3fbfd505b4de728974a4ac1f32f758a7 # feat_auto_merge
+        uses: nubificus/git-trailers@1d1595aacfd9239ae69d773cb895606daa17e538
         with:
-          user_info: .github/contributors.yaml
+          token: ${{ steps.generate-token.outputs.token }}
+          user-info: .github/contributors.yaml
 
       - name: Create a Pull Request from PR_BRANCH to main and merge it
         env:
           GH_TOKEN: ${{ steps.generate-token.outputs.token }}
+          PR_BRANCH: ${{ github.event.pull_request.base.ref }}
         run: |
           PR_BRANCH=${{ github.event.pull_request.base.ref }}
-      
+
           # Create the pull request
           PR_URL=$(gh pr create \
             --head "$PR_BRANCH" \