ci: merge validated windows definition PRs

.github/workflows/auto-merge-windows-version-definitions.yml

@@ -1,70 +0,0 @@
-name: Auto-merge Windows Version Definition Updates
-
-on:
-  workflow_run:
-    workflows: ["PR-tests"]
-    types: [completed]
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  auto-merge:
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
-    runs-on: ubuntu-latest
-    steps:
-      - name: Resolve matching pull request
-        id: pr
-        env:
-          GH_TOKEN: ${{ github.token }}
-          PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number }}
-          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
-          EXPECTED_TITLE: "chore(winpeas): update windows version vulnerability definitions"
-        run: |
-          pr_number="$PR_NUMBER"
-          if [ -z "$pr_number" ] && [ -n "$HEAD_BRANCH" ]; then
-            pr_number="$(gh pr list --state open --head "$HEAD_BRANCH" --json number --jq '.[0].number')"
-          fi
-          if [ -z "$pr_number" ]; then
-            echo "No pull request found for this workflow_run; skipping."
-            echo "should_merge=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          title="$(gh pr view "$pr_number" --json title --jq .title)"
-          base_ref="$(gh pr view "$pr_number" --json baseRefName --jq .baseRefName)"
-          head_ref="$(gh pr view "$pr_number" --json headRefName --jq .headRefName)"
-          author="$(gh pr view "$pr_number" --json author --jq .author.login)"
-
-          if [ "$title" != "$EXPECTED_TITLE" ]; then
-            echo "PR #$pr_number title does not match; skipping."
-            echo "should_merge=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          if [ "$base_ref" != "master" ] || [ "$head_ref" != "bot/update-windows-version-definitions" ]; then
-            echo "PR #$pr_number is not the expected branch pair; skipping."
-            echo "should_merge=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          if [ "$author" != "github-actions" ] && [ "$author" != "github-actions[bot]" ]; then
-            echo "PR #$pr_number author is $author; skipping."
-            echo "should_merge=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          echo "should_merge=true" >> "$GITHUB_OUTPUT"
-          echo "pr_number=$pr_number" >> "$GITHUB_OUTPUT"
-
-      - name: Merge matching pull request
-        if: ${{ steps.pr.outputs.should_merge == 'true' }}
-        env:
-          GH_TOKEN: ${{ github.token }}
-          PR_NUMBER: ${{ steps.pr.outputs.pr_number }}
-        run: |
-          gh api \
-            -X PUT \
-            -H "Accept: application/vnd.github+json" \
-            /repos/${{ github.repository }}/pulls/${PR_NUMBER}/merge \
-            -f merge_method=squash \
-            -f commit_title="chore(winpeas): update windows version vulnerability definitions"

.github/workflows/update_windows_version_definitions.yml

@@ -35,7 +35,7 @@ jobs:
       - name: Validate windows version definitions
         run: python3 build_lists/validate_windows_version_defs.py
 
-      - name: Create update pull request
+      - name: Create and merge validated update pull request
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
@@ -66,3 +66,31 @@ jobs:
               --title "$title" \
               --body "Automated update of \`build_lists/windows_version_exploits.json\`. The generated JSON passed \`build_lists/validate_windows_version_defs.py\` before this PR was updated."
           fi
+
+          pr_number="$(gh pr list --state open --head "$branch" --base master --json number --jq '.[0].number')"
+          pr_json="$(gh pr view "$pr_number" --json title,baseRefName,headRefName,author,mergeable)"
+          pr_title="$(jq -r .title <<<"$pr_json")"
+          base_ref="$(jq -r .baseRefName <<<"$pr_json")"
+          head_ref="$(jq -r .headRefName <<<"$pr_json")"
+          author="$(jq -r .author.login <<<"$pr_json")"
+          mergeable="$(jq -r .mergeable <<<"$pr_json")"
+
+          if [ "$pr_title" != "$title" ] || [ "$base_ref" != "master" ] || [ "$head_ref" != "$branch" ]; then
+            echo "Refusing to merge unexpected PR #$pr_number: title=$pr_title base=$base_ref head=$head_ref"
+            exit 1
+          fi
+          if [ "$author" != "app/github-actions" ] && [ "$author" != "github-actions" ] && [ "$author" != "github-actions[bot]" ]; then
+            echo "Refusing to merge PR #$pr_number from unexpected author: $author"
+            exit 1
+          fi
+          if [ "$mergeable" != "MERGEABLE" ]; then
+            echo "Refusing to merge PR #$pr_number because mergeable=$mergeable"
+            exit 1
+          fi
+
+          gh api \
+            -X PUT \
+            -H "Accept: application/vnd.github+json" \
+            "/repos/${{ github.repository }}/pulls/${pr_number}/merge" \
+            -f merge_method=squash \
+            -f commit_title="$title"