ci: add post-merge workflow to trigger CI after auto-merge (#56)

SebTardif · web-flow · commit b7d484f0d014 · 2026-06-04T22:22:20.000Z
Auto-merge via GITHUB_TOKEN does not trigger push-event workflows on main. This means ci.yml, security.yml, and scorecard.yml never ran after PR #54 and #55 merged, leaving the CI badge stale (showing an older failure). Add a post-merge workflow that fires on pull_request.closed (merged) and triggers all three workflows via workflow_dispatch on main. workflow_dispatch is exempt from the GITHUB_TOKEN event suppression, so these runs will fire reliably. Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
diff --git a/.github/workflows/post-merge.yml b/.github/workflows/post-merge.yml
@@ -0,0 +1,24 @@
+name: Post-merge CI trigger
+
+on:
+  pull_request:
+    types: [closed]
+
+permissions: {}
+
+jobs:
+  trigger:
+    name: Trigger CI on main
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    if: github.event.pull_request.merged == true
+    permissions:
+      actions: write
+    steps:
+      - name: Trigger workflows on main
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh workflow run ci.yml --ref main --repo "${{ github.repository }}"
+          gh workflow run security.yml --ref main --repo "${{ github.repository }}"
+          gh workflow run scorecard.yml --ref main --repo "${{ github.repository }}"
diff --git a/AGENTS.md b/AGENTS.md
@@ -74,6 +74,7 @@ scripts/
     ci.yml                 CI: unit tests, build, integration tests (self-hosted)
     auto-approve.yml           Auto-approve PRs from SebTardif and dependabot[bot]
     dependabot-auto-merge.yml  Auto-merge minor/patch Dependabot PRs
+    post-merge.yml             Trigger CI/security/scorecard on main after auto-merge
     scorecard.yml              OpenSSF Scorecard analysis (weekly + on push)
     security.yml               Security: npm audit, Trivy fs scan, Gitleaks (weekly + on push/PR)
 ```
