Auto-merge rules

Auto-merge lets Zapat merge PRs automatically when all conditions are met. You define the risk tolerance and delay — Zapat enforces them. About 80% of Zapat-generated PRs pass review and CI without human rework.

How risk scoring works

Zapat scores PRs across five factors and assigns a risk level. Each factor contributes 0, 1, or 2 points:

• Files changed — 0 pts: ≤5 files. 1 pt: 6–20 files. 2 pts: >20 files.
• Tests — 0 pts: new/modified tests present. 1 pt: tests exist but unchanged. 2 pts: no tests found.
• Review approvals — 0 pts: 2+ approvals. 1 pt: 1 approval. 2 pts: 0 approvals.
• Security paths — 0 pts: none. 1 pt: config files changed. 2 pts: auth/crypto/secrets paths changed.
• Lines changed — 0 pts: ≤100 lines. 1 pt: 101–500 lines. 2 pts: >500 lines.

Total score: 0–2 = low risk, 3–5 = medium risk, 6+ = high risk.

What happens at each risk level

• Low risk — Merged immediately (no delay) when auto-merge is enabled and the PR is approved.
• Medium risk — Scheduled for merge after autoMergeDelayHours (default: 4 hours). This gives you a window to intervene.
• High risk — Always held for human review. Zapat will not auto-merge, regardless of configuration.

Auto-merge configuration options

• autoMergeEnabled (default: false) — Master switch. Must be true for any auto-merge to occur.
• autoMergeMaxRisk (default: "medium") — Maximum risk level that will be auto-merged. Set to "low" to only auto-merge the safest changes. "high" allows all approved PRs (not recommended).
• autoMergeDelayHours (default: 4, range: 0–72) — Delay before merging medium-risk PRs. Low-risk PRs always merge immediately regardless of this setting.

Auto-merge conditions

All of the following must be true for a PR to be auto-merged:

• autoMergeEnabled is true for the repo.
• The PR risk level is at or below autoMergeMaxRisk.
• The PR has been approved (via the review stage or a human reviewer).
• No "hold" label is present on the PR.