Fix lint workflow: create PR for auto-fix instead of pushing directly to main #1082
Description
Description
The git-auto-commit-action in the lint CI workflow fails on main because repository branch protection rules prevent direct pushes. When ruff auto-fixes lint issues on a push to main, the action tries to commit and push directly back to main, which is rejected by GitHub's branch protection (merge queue required, PRs required, status checks required).
The fix is to replace stefanzweifel/git-auto-commit-action@v7 with peter-evans/create-pull-request@v7 so that when lint fixes are needed on main, a PR is created automatically instead of a direct push.
Context
Error observed in CI:
remote: error: GH013: Repository rule violations found for refs/heads/main.
remote: - Changes must be made through the merge queue
remote: - Changes must be made through a pull request.
remote: - 4 of 4 required status checks are expected.
remote: - 7 of 7 required status checks are expected.
! [remote rejected] main -> main (push declined due to repository rule violations)
This happens because line 49 of .github/workflows/lint.yml runs the auto-commit action on github.event_name == 'push' (which triggers on pushes to main), but main has branch protection rules that forbid direct pushes.
Value:
- Lint auto-fixes on
mainwill actually work instead of failing silently - Maintains branch protection integrity
- Auto-generated PRs go through the normal review/merge-queue process
Scope
Estimated Lines of Code: ~15 lines changed
Complexity: Low
Files to Modify:
.github/workflows/lint.yml(~15 lines changed)
Acceptance Criteria
Core Implementation
- Replace
stefanzweifel/git-auto-commit-action@v7withpeter-evans/create-pull-request@v7in.github/workflows/lint.yml - Configure the action to create a branch like
auto-fix/ruff-lintand open a PR with title likestyle: auto-fix ruff issues - Add appropriate labels to the auto-created PR (e.g.,
bot,style) - Keep the condition
github.event_name == 'push'so it only triggers on pushes tomain, not on PRs - Ensure the action deletes the branch after merge (use
delete-branch: true)
Testing
- Verify the workflow YAML is valid (no syntax errors)
- Confirm the
pushtomaintrigger still works correctly - Confirm
pull_requestandmerge_grouptriggers are unaffected (auto-commit step should NOT run on PRs)
Technical Notes
Current Configuration (broken)
# .github/workflows/lint.yml lines 48-53
- name: Commit ruff fixes
if: ${{ matrix.linter == 'ruff' && github.event_name == 'push' }}
uses: stefanzweifel/git-auto-commit-action@v7
with:
commit_message: "style: auto-fix ruff issues"
file_pattern: "particula/"Proposed Configuration
- name: Create PR for ruff fixes
if: ${{ matrix.linter == 'ruff' && github.event_name == 'push' }}
uses: peter-evans/create-pull-request@v7
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: "style: auto-fix ruff issues"
branch: auto-fix/ruff-lint
title: "style: auto-fix ruff issues"
body: |
Automated PR to fix ruff lint issues detected on `main`.
This PR was created automatically by the lint workflow.
labels: bot, style
delete-branch: trueKey Differences
stefanzweifel/git-auto-commit-actionpushes directly to the current branch → blocked by branch protectionpeter-evans/create-pull-requestcreates a new branch and opens a PR → respects branch protection rules- The PR then goes through the normal merge queue / review process
Edge Cases and Considerations
- If no files are changed by ruff,
create-pull-requestwill simply not create a PR (it detects no diff) - If a PR already exists from a previous run on
auto-fix/ruff-lint, the action will update it instead of creating a duplicate - The
GITHUB_TOKENpermissions already includecontents: write(line 19), which is sufficient forcreate-pull-request
References
Related Code:
.github/workflows/lint.yml- The workflow to modify- peter-evans/create-pull-request docs
- stefanzweifel/git-auto-commit-action docs