elastic · strawgate · Feb 28, 2026 · Feb 28, 2026 · Feb 28, 2026 · Feb 28, 2026
diff --git a/.github/workflows/downstream-users.lock.yml b/.github/workflows/downstream-users.lock.yml
diff --git a/.github/workflows/gh-aw-bug-exterminator.lock.yml b/.github/workflows/gh-aw-bug-exterminator.lock.yml
diff --git a/.github/workflows/gh-aw-code-duplication-fixer.lock.yml b/.github/workflows/gh-aw-code-duplication-fixer.lock.yml
diff --git a/.github/workflows/gh-aw-code-simplifier.lock.yml b/.github/workflows/gh-aw-code-simplifier.lock.yml
diff --git a/.github/workflows/gh-aw-fragments/pr-context.md b/.github/workflows/gh-aw-fragments/pr-context.md
@@ -9,7 +9,7 @@ steps:
       mkdir -p /tmp/pr-context
 
       # PR metadata
-      gh pr view "$PR_NUMBER" --json title,body,author,baseRefName,headRefName,url \
+      gh pr view "$PR_NUMBER" --json title,body,author,baseRefName,headRefName,headRefOid,url \
         > /tmp/pr-context/pr.json
 
       # Full diff
@@ -109,7 +109,7 @@ steps:
 
       | File | Description |
       | --- | --- |
-      | `pr.json` | PR metadata — title, body, author, base/head branches, URL |
+      | `pr.json` | PR metadata — title, body, author, base/head branches, head commit SHA (`headRefOid`), URL |
       | `pr.diff` | Full unified diff of all changes |
       | `files.json` | Changed files array — each entry has `filename`, `status`, `additions`, `deletions`, `patch` |
       | `diffs/<path>.diff` | Per-file diffs — one file per changed file, mirroring the repo path under `diffs/` |

diff --git a/.github/workflows/gh-aw-fragments/safe-output-create-pr.md b/.github/workflows/gh-aw-fragments/safe-output-create-pr.md
@@ -11,6 +11,22 @@ safe-inputs:
               return subprocess.run(cmd, capture_output=True, text=True, timeout=60)
           except subprocess.TimeoutExpired:
               return subprocess.CompletedProcess(cmd, 1, stdout='', stderr='diff timed out')
+
+      # --- Guard: detect merge commits ---
+      # Find the fork point with the upstream branch to scope the check
+      upstream_sha = ''
+      for ref in ['@{upstream}', 'origin/HEAD', 'origin/main']:
+          r = run(['git', 'merge-base', 'HEAD', ref])
+          if r.returncode == 0 and r.stdout.strip():
+              upstream_sha = r.stdout.strip()
+              break
+      if upstream_sha:
+          log = run(['git', 'rev-list', '--min-parents=2', f'{upstream_sha}..HEAD'])
+          merge_shas = log.stdout.strip()
+          if merge_shas:
+              print(json.dumps({'status': 'error', 'error': f'Merge commit(s) detected: {merge_shas.splitlines()[0][:12]}... create_pull_request uses git format-patch which breaks on merge commits. Fix: re-apply your changes as direct file edits (no git merge/rebase/commit-tree with multiple -p flags) and commit as regular single-parent commits.'}))
+              raise SystemExit(0)
+
       contributing = find('CONTRIBUTING.md', 'CONTRIBUTING.rst', 'docs/CONTRIBUTING.md', 'docs/contributing.md')
       pr_template = find('.github/pull_request_template.md', '.github/PULL_REQUEST_TEMPLATE.md', '.github/PULL_REQUEST_TEMPLATE/pull_request_template.md')
       # Generate diff of all local changes vs upstream for self-review

diff --git a/.github/workflows/gh-aw-fragments/safe-output-push-to-pr.md b/.github/workflows/gh-aw-fragments/safe-output-push-to-pr.md
@@ -11,6 +11,26 @@ safe-inputs:
               return subprocess.run(cmd, capture_output=True, text=True, timeout=60)
           except subprocess.TimeoutExpired:
               return subprocess.CompletedProcess(cmd, 1, stdout='', stderr='diff timed out')
+
+      # --- Guard: detect history rewrites and merge commits ---
+      pr_json_path = '/tmp/pr-context/pr.json'
+      if os.path.isfile(pr_json_path):
+          with open(pr_json_path) as f:
+              pr_data = json.load(f)
+          pr_head_sha = pr_data.get('headRefOid', '')
+          if pr_head_sha:
+              # Check 1: PR head must be an ancestor of HEAD (no rebase/reset)
+              anc = run(['git', 'merge-base', '--is-ancestor', pr_head_sha, 'HEAD'])
+              if anc.returncode != 0:
+                  print(json.dumps({'status': 'error', 'error': f'History rewrite detected: the original PR head ({pr_head_sha[:12]}) is not an ancestor of HEAD. This means git rebase, reset, or cherry-pick rewrote history. push_to_pull_request_branch will fail. Fix: reset to the PR head with `git checkout {pr_head_sha}`, re-apply your changes as direct file edits, and commit as regular commits.'}))
+                  raise SystemExit(0)
+              # Check 2: no merge commits (multiple parents) since PR head
+              log = run(['git', 'rev-list', '--min-parents=2', f'{pr_head_sha}..HEAD'])
+              merge_shas = log.stdout.strip()
+              if merge_shas:
+                  print(json.dumps({'status': 'error', 'error': f'Merge commit(s) detected: {merge_shas.splitlines()[0][:12]}... push_to_pull_request_branch uses git format-patch which breaks on merge commits. Fix: reset to the PR head with `git checkout {pr_head_sha}`, re-apply your changes as direct file edits (no git merge/rebase/commit-tree with multiple -p flags), and commit as regular single-parent commits.'}))
+                  raise SystemExit(0)
+
       contributing = find('CONTRIBUTING.md', 'CONTRIBUTING.rst', 'docs/CONTRIBUTING.md', 'docs/contributing.md')
       pr_template = find('.github/pull_request_template.md', '.github/PULL_REQUEST_TEMPLATE.md', '.github/PULL_REQUEST_TEMPLATE/pull_request_template.md')
       # Generate diff of all local changes vs upstream for self-review

diff --git a/.github/workflows/gh-aw-issue-fixer.lock.yml b/.github/workflows/gh-aw-issue-fixer.lock.yml
diff --git a/.github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml b/.github/workflows/gh-aw-mention-in-issue-no-sandbox.lock.yml
diff --git a/.github/workflows/gh-aw-mention-in-issue.lock.yml b/.github/workflows/gh-aw-mention-in-issue.lock.yml