chore: develop -> master ff-only 머지 자동화 액션 추가

[whqtker]

관련 이슈

• resolves:

작업 내용

의도: develop -> master로의 PR에서, 1명 이상 승인 시 자동 ff only merge

특이 사항

리뷰 요구사항 (선택)

[coderabbitai]

Warning

Review limit reached

@whqtker, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 47 minutes and 47 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 24b3c5f6-2ded-4fcb-b627-00d000e6456a

📥 Commits

Reviewing files that changed from the base of the PR and between 8d5b402 and d7d6f93.

📒 Files selected for processing (1)

• .github/workflows/ff-merge.yml

Walkthrough

이 PR은 GitHub Actions 워크플로를 통해 master 브랜치의 자동 머지 프로세스를 구현합니다.

1. 워크플로 트리거 설정

   • PR 리뷰가 제출(submitted)될 때 워크플로를 시작합니다.

2. 리뷰 상태 검증

   • GitHub API를 통해 해당 PR의 모든 리뷰를 조회합니다.
   • 사용자별로 최신 리뷰 상태(APPROVED, CHANGES_REQUESTED 등)를 정리합니다.
   • 최소 1명의 승인(APPROVED)과 변경 요청(CHANGES_REQUESTED) 부재를 확인합니다.

3. 조건부 머지 실행

   • 리뷰 조건을 충족하면 develop 브랜치를 master로 FF-only 머지합니다.
   • PAT 토큰 기반 인증으로 변경사항을 원격 저장소에 푸시합니다.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 분

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	PR 설명이 필수 섹션은 포함하고 있으나 '관련 이슈' 항목이 비어있고, '작업 내용' 섹션에 간단한 설명만 있습니다.	관련 이슈 번호를 추가하고, 작업 내용 섹션에 워크플로의 동작 방식, 트리거 조건, 사용된 기술 등에 대한 구체적인 설명을 작성해 주세요.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	PR 제목이 변경사항의 핵심을 명확하게 요약하고 있습니다. develop에서 master로의 FF-only 머지 자동화 액션 추가라는 주요 변경사항을 직관적으로 전달합니다.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/ff-only-merge-action

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8d5b4022b5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/ff-merge.yml (2)

41-46: ⚡ Quick win

보안 강화를 위해 두 가지 설정을 추가하는 것을 권장드립니다.

1. 액션 해시 고정: actions/checkout@v4 대신 커밋 해시를 사용하면 공급망 공격을 방지할 수 있습니다.
2. 자격 증명 비영속화: persist-credentials: false를 설정하면, 토큰이 .git/config에 남아 아티팩트를 통해 유출되는 것을 방지할 수 있습니다.

🛡️ 권장 수정 사항

       - name: Checkout
         if: steps.approvals.outputs.ready == 'true'
         uses: actions/checkout@v4
         with:
           token: ${{ secrets.PAT }}
           fetch-depth: 0
+          persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ff-merge.yml around lines 41 - 46, Update the Checkout
step: replace the floating action ref "uses: actions/checkout@v4" with a pinned
commit SHA for the actions/checkout action and add "persist-credentials: false"
to the step inputs (keep existing token and fetch-depth inputs), so the Checkout
step (the step named "Checkout" that currently uses actions/checkout@v4 and sets
token/fetch-depth) uses an exact action hash and does not persist credentials
into .git/config.

Source: Linters/SAST tools

---

19-19: 💤 Low value

보안 강화를 위해 액션을 커밋 해시로 고정하는 것을 권장드립니다.

1. 현재 상태: actions/github-script@v7처럼 태그만 사용 중입니다.
2. 권장 사항: 공급망 공격(supply chain attack)을 방지하기 위해, 커밋 해시로 고정하면 더 안전합니다.
3. 예시: actions/github-script@<commit-sha>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ff-merge.yml at line 19, Replace the floating tag for the
GitHub Action so it's pinned to a specific commit SHA: locate the line that
reads "uses: actions/github-script@v7" and change the tag to a full commit SHA
for the actions/github-script repo (e.g., "uses:
actions/github-script@<commit-sha>"); ensure you pick a stable commit from the
official repo, update any related workflow documentation/variables if needed,
and periodically refresh the SHA when intentionally upgrading the action.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/ff-merge.yml:
- Around line 41-46: Update the Checkout step: replace the floating action ref
"uses: actions/checkout@v4" with a pinned commit SHA for the actions/checkout
action and add "persist-credentials: false" to the step inputs (keep existing
token and fetch-depth inputs), so the Checkout step (the step named "Checkout"
that currently uses actions/checkout@v4 and sets token/fetch-depth) uses an
exact action hash and does not persist credentials into .git/config.
- Line 19: Replace the floating tag for the GitHub Action so it's pinned to a
specific commit SHA: locate the line that reads "uses: actions/github-script@v7"
and change the tag to a full commit SHA for the actions/github-script repo
(e.g., "uses: actions/github-script@<commit-sha>"); ensure you pick a stable
commit from the official repo, update any related workflow
documentation/variables if needed, and periodically refresh the SHA when
intentionally upgrading the action.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 3c0b7a26-1ab9-421c-ab38-b9913bdbfa50

📥 Commits

Reviewing files that changed from the base of the PR and between 88d603e and 8d5b402.

📒 Files selected for processing (1)

• .github/workflows/ff-merge.yml