Self-Merge PR Policy¶
Overview¶
Engineers on the @Paper-Run/self-merge-approved team may merge their own PRs without an approving review when appropriate. This is enforced via GitHub branch protection bypass actors + CODEOWNERS, so protected paths still require review even for self-merge-approved members.
How it works¶
Branch protection (main): requires 1 approval
|
+-- @Paper-Run/self-merge-approved = bypass actors (can skip the 1-approval requirement)
|
+-- CODEOWNERS (protected paths) = require code owner review (bypass actors CANNOT skip this)
| Role | Non-protected path | Protected path |
|---|---|---|
| Normal engineer | Needs 1 approval | Needs 1 approval (from code owner) |
self-merge-approved member |
Can merge without approval | Still needs code owner approval |
Branch protection settings¶
| Setting | Value |
|---|---|
| Required approving reviews | 1 |
| Dismiss stale reviews | Yes |
| Require code owner reviews | Yes |
| Require last push approval | Yes |
| Enforce for admins | Yes |
| Required status checks | build |
| Require branches up to date | Yes |
| Bypass actors | @Paper-Run/self-merge-approved |
What's eligible for self-merge¶
Use your judgment. As a guideline:
- Always OK: bug fixes, copy updates, test additions, small refactors, documentation
- Generally OK: non-critical-path feature work, internal tooling, script changes
- Never self-merge: billing/Stripe logic, auth/authorization, database migrations, config changes — these always require review (enforced via CODEOWNERS)
Communication protocol¶
When self-merging, you must:
- Add the
self-mergelabel to the PR - Add a comment on the PR confirming you've reviewed your own diff
Self-review checklist¶
Before merging without review, confirm:
- [ ] I've reviewed my own diff line-by-line
- [ ] Tests pass (CI green)
- [ ] This does NOT touch billing, auth, or migrations
- [ ] No secrets or credentials in the diff
- [ ] I've added the
self-mergelabel
Protected paths (always require review)¶
These are enforced via CODEOWNERS and require approval from @Paper-Run/development-team:
| Path | Reason |
|---|---|
/migrations/ |
Database schema changes |
app/methods/billing.py |
Billing / Stripe logic |
app/routes/billing_routes.py |
Billing endpoints |
app/routes/auth_decorator.py |
Auth / authorization |
app/routes/login_routes.py |
Auth / login |
app/config.py |
Application configuration |
FAQ¶
Q: What if I'm unsure whether something needs review? A: Request a review. When in doubt, get a second pair of eyes.
Q: Can I self-merge if the PR is large? A: Size alone isn't the deciding factor — risk is. A large but straightforward test file is lower risk than a small billing change. Use judgment.
Q: What if someone has concerns about a self-merged PR after the fact? A: Open a follow-up PR or discussion. The goal is velocity, not avoiding feedback entirely.
Q: How does CODEOWNERS interact with self-merge?
A: Even if you're on the self-merge-approved team, GitHub still requires a code owner review for files matched by CODEOWNERS. You can't approve your own PR, so protected paths always need someone else's approval.
Q: What happens if I push after getting approval? A: The "dismiss stale reviews" and "require last push approval" settings mean the approval is dismissed and you'll need a fresh review. This prevents merging unapproved changes.