ci: migrate merge + security callers to github-workflows v3, unify auto-merge

.github/workflows/codeql.yaml

@@ -1,7 +1,12 @@
-# Thin caller: CodeQL security analysis lives in the shared reusable workflow,
-# which scans the repo's GitHub Actions and its JavaScript/TypeScript build-free.
-# This caller owns the triggers and grants the analyze permission ceiling; the
+# Thin caller: CodeQL security analysis lives in the org's reusable security
+# workflow, which scans the repo's GitHub Actions and its JavaScript/TypeScript
+# build-free (languages detected from the repo root: actions + package.json). This
+# caller owns the triggers and grants the analyze permission ceiling; the
 # config-file excludes the bundled dist/ (its sources are analysed via src/).
+#
+# Build-free, so this needs no canonical Makefile — it moves to v3 ahead of the
+# ci/release callers, which stay on v1 until the Makefile lands (see
+# bitwise-media-group/setup-evolve#10).
 name: CodeQL analysis
 
 on:
@@ -26,7 +31,7 @@ jobs:
       actions: read
       # checkout the repository
       contents: read
-    uses: bitwise-media-group/github-workflows/.github/workflows/codeql-node.yaml@077a003a620f49bd0062c73fc761dbea05d7fb70 # v1.1.0
+    uses: bitwise-media-group/github-workflows/.github/workflows/security.yaml@ef97ca56a3a90f9f35556402e0c7478307edcbb9 # v3.0.0
     with:
       # exclude the bundled dist/ output; its sources are analysed via src/
       config-file: ./.github/codeql/codeql-config.yaml

.github/workflows/dependabot-merge.yaml

@@ -1,17 +1,17 @@
 # Thin caller: Dependabot auto-approve + fast-forward lives in the shared reusable
-# workflow. Dependabot opens npm and github-actions PRs (see dependabot.yaml);
-# minor/patch ones are auto-approved on open and fast-forwarded once CI is green,
+# workflow. When a Dependabot PR's CI finishes green the reusable workflow approves
+# it if it is a minor or patch update, then fast-forwards it into the base branch,
 # preserving Dependabot's signed commits via the same ff-merge action as `/merge`.
 # Major updates are never approved, so they wait for a human. This keeps the
 # reusable-workflow SHA pins (and npm deps) fresh with no human in the loop.
 #
-# Both triggers are required: pull_request_target approves on open; workflow_run
-# fast-forwards once CI is green. check_suite is NOT usable — GitHub does not fire
-# it for a repo's own Actions CI. The `workflows:` list names every workflow that
-# must pass — this repo's CI and CodeQL; whichever finishes last triggers the
-# merge attempt, and ff-merge re-verifies all checks. pull_request_target is safe
-# here: the reusable workflow never checks out or runs PR code. Requires branch
-# protection that requires PR review (so the approval sets the review decision).
+# Just workflow_run — an event that adds no check run to the PR, so it leaves no
+# skipped-job clutter (and needs no pull_request_target). The reusable workflow reads
+# the minor/patch-vs-major policy from Dependabot's signed commit. The `workflows:`
+# list names every workflow that must pass — this repo's CI and CodeQL; whichever
+# finishes last triggers the merge attempt. check_suite is NOT usable — GitHub does
+# not fire it for a repo's own Actions CI. Requires branch protection that requires
+# PR review (so the approval sets the review decision).
 #
 # Org prerequisites (one-time, see bitwise-media-group/ff-merge): the
 # FF_MERGE_CLIENT_ID variable + FF_MERGE_PRIVATE_KEY secret, and the "FF Merge"
@@ -20,8 +20,6 @@
 name: Dependabot auto-merge
 
 on:
-  pull_request_target:
-    types: [opened, reopened, synchronize]
   workflow_run:
     # every workflow that must be green before an in-policy Dependabot PR merges
     workflows: ["Continuous integration", "CodeQL analysis"]
@@ -32,7 +30,7 @@ permissions: {}
 
 jobs:
   auto-merge:
-    uses: bitwise-media-group/github-workflows/.github/workflows/dependabot-merge.yaml@077a003a620f49bd0062c73fc761dbea05d7fb70 # v1.1.0
+    uses: bitwise-media-group/github-workflows/.github/workflows/dependabot-merge.yaml@ef97ca56a3a90f9f35556402e0c7478307edcbb9 # v3.0.0
     with:
       app-client-id: ${{ vars.FF_MERGE_CLIENT_ID }}
     secrets:

.github/workflows/merge-review-ack.yaml

@@ -0,0 +1,22 @@
+# Thin caller: the merge review-ack — required companion to merge.yaml that carries
+# the approval signal for auto-merge. merge.yaml subscribes to no PR-attached events
+# (to keep the PR's checks list free of skipped-job clutter), but an approval only
+# surfaces as the PR-attached pull_request_review event. This workflow's single job
+# completes on an approving review so its workflow_run(completed) re-enters merge.yaml
+# in base context, where the App token is minted and the fast-forward done. That makes
+# fork and same-repo PRs merge identically on approval, and its job is the only check
+# this merge system adds to a PR. It does no privileged work and needs no secrets.
+#
+# Keep "Merge Review Ack" in merge.yaml's workflow_run list.
+name: Merge Review Ack
+
+on:
+  pull_request_review:
+    types: [submitted]
+
+# does no privileged work; grants nothing
+permissions: {}
+
+jobs:
+  ack:
+    uses: bitwise-media-group/github-workflows/.github/workflows/merge-review-ack.yaml@ef97ca56a3a90f9f35556402e0c7478307edcbb9 # v3.0.0

.github/workflows/merge.yaml

@@ -1,31 +1,42 @@
-# Thin caller: the fast-forward `/merge` flow lives in the shared reusable
-# workflow. A maintainer comments `/merge` on an approved, green PR and the base
-# branch is fast-forwarded to the PR head — the commit objects are untouched, so
-# the original signature is preserved and release-please still sees each
-# Conventional Commit individually. The reusable workflow owns the first-pass
-# author gate and re-verifies write access, approval, and passing checks
-# authoritatively, so a misconfigured caller cannot move a branch on its own.
+# Thin caller: the fast-forward merge flow lives in the shared reusable workflow —
+# both `/merge` (merge an approved, green PR now) and set-and-forget auto-merge
+# (`/auto-merge`, or add the `auto-merge` label, and it fast-forwards the moment it
+# is approved and every required check is green) in one workflow. Either way the
+# base branch is fast-forwarded to the PR head: the commit objects are untouched, so
+# the original signature is preserved and release-please sees each Conventional
+# Commit individually. This replaces the previous split merge.yaml + auto-merge.yaml
+# — v3 unifies them into a single reusable workflow.
 #
-# issue_comment runs in the base-repo context, so the App credentials are
-# available even on fork PRs.
+# Every trigger here is one that does NOT attach a check run to the PR
+# (issue_comment, workflow_run, schedule), so the merge machinery leaves no
+# skipped-job clutter on the PR's checks list. The approval signal is carried by the
+# companion merge-review-ack.yaml (its single job is the only check this system
+# adds) and re-enters via workflow_run. The `workflows:` list names every workflow
+# that must pass before merging — this repo's CI and CodeQL — plus "Merge Review
+# Ack"; whichever finishes last triggers the attempt, and ff-merge re-verifies all
+# checks. The schedule sweeps armed PRs as a backstop.
 #
 # Org prerequisites (one-time, see bitwise-media-group/ff-merge): the
 # FF_MERGE_CLIENT_ID variable + FF_MERGE_PRIVATE_KEY secret, and the "FF Merge"
 # App installed on this repo and in main's ruleset bypass list.
-name: Fast-forward merge
+name: Merge
 
 on:
   issue_comment:
     types: [created]
+  workflow_run:
+    workflows: ["Continuous integration", "CodeQL analysis", "Merge Review Ack"]
+    types: [completed]
+  schedule:
+    - cron: "17 * * * *"
 
-# the App token does the privileged work; the job's GITHUB_TOKEN needs nothing
+# the App token does the privileged work; the caller grants nothing
 permissions: {}
 
 jobs:
-  fast-forward:
-    uses: bitwise-media-group/github-workflows/.github/workflows/merge.yaml@077a003a620f49bd0062c73fc761dbea05d7fb70 # v1.1.0
+  merge:
+    uses: bitwise-media-group/github-workflows/.github/workflows/merge.yaml@ef97ca56a3a90f9f35556402e0c7478307edcbb9 # v3.0.0
     with:
-      pr-number: ${{ github.event.issue.number }}
       app-client-id: ${{ vars.FF_MERGE_CLIENT_ID }}
     secrets:
       app-private-key: ${{ secrets.FF_MERGE_PRIVATE_KEY }}