Feat!: Enhance pull request close/reconciliation handling

- Add GitHub PR close handling after Gerrit change is merged
- Add CLI ability to accept Gerrit change as input, close PRs
- New --force flag will close GitHub PRs for Abandoned changes
- Add code to extract GitHub ORG from Gerrit change content
- Only display relevant output in GitHub2Gerrit Configuration
- Bypass uvx when testing/developing against branches in forks
- Improve isolation to address failing pre-commit pytest hook
- Add new automation_only input and CLI flag to reject user PRs

Signed-off-by: Matthew Watkins <mwatkins@linuxfoundation.org>

Author: ModeSevenIndustrialSolutions

.github/workflows/github2gerrit.yaml

@@ -68,7 +68,7 @@ on:
       PRESERVE_GITHUB_PRS:
         description: "Do not close GitHub PRs after pushing to Gerrit"
         required: false
-        default: false
+        default: true
         type: boolean
       DRY_RUN:
         description: "Validate settings and PR metadata; do not write to Gerrit"

.github/workflows/testing.yaml

@@ -40,6 +40,7 @@ jobs:
           GERRIT_KNOWN_HOSTS: 'dummy-host ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC...'
           GERRIT_SSH_PRIVKEY_G2G: 'dummy-key'
           DRY_RUN: 'true'
+          AUTOMATION_ONLY: 'false'
 
       # yamllint disable-line rule:line-length
       - name: "Running local action: ${{ github.repository }} [Failure]"
@@ -53,6 +54,7 @@ jobs:
           GERRIT_KNOWN_HOSTS: "dummy-host ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC..."
           GERRIT_SSH_PRIVKEY_G2G: ""
           DRY_RUN: 'true'
+          AUTOMATION_ONLY: 'false'
 
       # Failure testing is also important
       - name: "Error if step above did NOT fail"

README.md

@@ -32,7 +32,106 @@ Gerrit `Change-Id` trailers to create or update changes.
 - Query Gerrit for the resulting URL, change number, and patchset SHA.
 - Add a back‑reference comment in Gerrit to the GitHub PR and run URL.
 - Comment on the GitHub PR with the Gerrit change URL(s).
-- Optionally close the PR (mirrors the shell action policy).
+- By default, the tool preserves PRs after submission; set `PRESERVE_GITHUB_PRS=false` to close them.
+
+## Close Merged PRs Feature
+
+GitHub2Gerrit now includes **automatic PR closure** when Gerrit merges changes
+and syncs them back to GitHub. This completes the lifecycle for automation PRs
+(like Dependabot).
+
+**How it works:**
+
+1. A bot (e.g., Dependabot) creates a GitHub PR
+2. GitHub2Gerrit converts it to a Gerrit change with tracking information
+3. When the Gerrit change is **merged** and synced to GitHub, the original PR is automatically closed
+4. When the Gerrit change is **abandoned**, the tool handles the PR based on `CLOSE_MERGED_PRS`:
+   - If `CLOSE_MERGED_PRS=true` (default): The tool closes the PR with an abandoned comment ⛔️
+   - If `CLOSE_MERGED_PRS=false`: PR remains open, but receives an abandoned notification comment ⛔️
+
+**Key characteristics:**
+
+- **Enabled by default** via `CLOSE_MERGED_PRS=true`
+- **Non-fatal operation** - the tool logs missing or already-closed PRs as
+  info, not errors
+- Works on `push` events when Gerrit syncs changes to GitHub mirrors
+- **Abandoned change handling**: The tool closes PRs or adds comments based on the `CLOSE_MERGED_PRS` setting
+
+**Gerrit change status handling:**
+
+| Scenario | `CLOSE_MERGED_PRS=true` (default) | `CLOSE_MERGED_PRS=false` |
+|----------|-----------------------------------|--------------------------|
+| Change has MERGED status | ✅ Closes PR with merged comment | ⏭️ No action |
+| Change has ABANDONED status | ✅ Closes PR with abandoned comment ⛔️ | 💬 Adds abandoned notification comment (PR stays open) |
+| Change is NEW/OPEN | ⚠️ Closes PR with a warning | ⏭️ No action |
+| Status UNKNOWN | ⚠️ Closes PR with a warning | ⏭️ No action |
+
+**Status reporting examples:**
+
+```text
+No GitHub PR URL found in commit abc123de - skipping
+GitHub PR #42 is already closed - nothing to do
+Gerrit change confirmed as MERGED
+SUCCESS: Closed GitHub PR #42
+```
+
+**Abandoned change examples:**
+
+With `CLOSE_MERGED_PRS=true`:
+
+```text
+Gerrit change ABANDONED; will close PR with abandoned comment
+SUCCESS: Closed GitHub PR #42
+```
+
+With `CLOSE_MERGED_PRS=false`:
+
+```text
+Gerrit change ABANDONED; will add comment (CLOSE_MERGED_PRS=false)
+SUCCESS: Added comment to PR #42 (PR remains open)
+```
+
+## Restrict PRs to Automation Tools
+
+GitHub2Gerrit can restrict pull request processing to known automation tools.
+Use this for GitHub mirrors where you want contributors to submit changes via
+Gerrit, while still accepting automated dependency updates from tools like
+Dependabot.
+
+**Configuration:**
+
+Set `AUTOMATION_ONLY=true` (default) to enable, or `AUTOMATION_ONLY=false`
+to accept all PRs.
+
+**Recognized automation tools:**
+
+| Tool | GitHub Username(s) |
+|------|-------------------|
+| Dependabot | `dependabot[bot]`, `dependabot` |
+| Pre-commit.ci | `pre-commit-ci[bot]`, `pre-commit-ci` |
+
+**What happens when enabled:**
+
+The tool rejects PRs from non-automation users by:
+
+1. Logging a warning message
+2. Closing the PR with this comment:
+
+   ```text
+   This GitHub mirror does not accept pull requests.
+   Please submit changes to the project's Gerrit server.
+   ```
+
+3. Exiting with code 1
+
+**Example:**
+
+```yaml
+- uses: lfit/github2gerrit-action@main
+  with:
+    AUTOMATION_ONLY: "true"  # default, accepts automation PRs
+    GERRIT_SSH_PRIVKEY_G2G: ${{ secrets.GERRIT_SSH_PRIVKEY }}
+```
 
 ## Requirements
 
@@ -664,7 +763,7 @@ alignment between action inputs, environment variables, and CLI flags:
 | `ORGANIZATION` | `ORGANIZATION` | `--organization` | No | `${{ github.repository_owner }}` | GitHub organization/owner |
 | `REVIEWERS_EMAIL` | `REVIEWERS_EMAIL` | `--reviewers-email` | No | `""` | Comma-separated reviewer emails |
 | `ALLOW_GHE_URLS` | `ALLOW_GHE_URLS` | `--allow-ghe-urls` | No | `"false"` | Allow GitHub Enterprise URLs in direct URL mode |
-| `PRESERVE_GITHUB_PRS` | `PRESERVE_GITHUB_PRS` | `--preserve-github-prs` | No | `"false"` | Do not close GitHub PRs after pushing to Gerrit |
+| `PRESERVE_GITHUB_PRS` | `PRESERVE_GITHUB_PRS` | `--preserve-github-prs` | No | `"true"` | Do not close GitHub PRs after pushing to Gerrit |
 | `DRY_RUN` | `DRY_RUN` | `--dry-run` | No | `"false"` | Check settings/PR metadata; do not write to Gerrit |
 | `ALLOW_DUPLICATES` | `ALLOW_DUPLICATES` | `--allow-duplicates` | No | `"false"` | Allow submitting duplicate changes without error |
 | `CI_TESTING` | `CI_TESTING` | `--ci-testing` | No | `"false"` | Enable CI testing mode (overrides .gitreview) |
@@ -943,8 +1042,8 @@ requiring manual configuration per PR or user.
   - Adds a back‑reference comment in Gerrit with the GitHub PR and run
     URL. Adds a comment on the GitHub PR with the Gerrit change URL(s).
 - Closing PRs
-  - On `pull_request_target`, the workflow may close the PR after submission to
-    match the shell action’s behavior.
+  - By default, PRs are **preserved** after submission (`PRESERVE_GITHUB_PRS=true`).
+  - Set `PRESERVE_GITHUB_PRS=false` to close PRs after submission on `pull_request_target` events.
 
 ## Security notes
 

action.yaml

@@ -52,7 +52,11 @@ inputs:
   PRESERVE_GITHUB_PRS:
     description: "Do not close GitHub PRs after pushing to Gerrit"
     required: false
-    default: "false"
+    default: "true"
+  CLOSE_MERGED_PRS:
+    description: "Close GitHub PRs when corresponding Gerrit changes are merged"
+    required: false
+    default: "true"
   DRY_RUN:
     description: "Validate settings/PR metadata; do not write to Gerrit"
     required: false
@@ -65,10 +69,20 @@ inputs:
     description: "Enable CI testing mode; overrides .gitreview, creates orphan commits"
     required: false
     default: "false"
+  FORCE:
+    description: "Force PR closure regardless of Gerrit change status (abandoned, etc)"
+    required: false
+    default: "false"
   ISSUE_ID:
     description: "Issue ID to include (e.g., ABC-123)"
     required: false
     default: ""
+  USE_LOCAL_ACTION:
+    description: >-
+      Use local repository action/code instead of the PyPI package.
+      Set to 'true' when testing changes in a fork or branch before merging.
+    required: false
+    default: "false"
   G2G_USE_SSH_AGENT:
     description: "Use SSH agent for authentication instead of file-based keys (recommended)"
     required: false
@@ -115,6 +129,10 @@ inputs:
       (format: [{"key": "username", "value": "ISSUE-ID"}])
     required: false
     default: "[]"
+  AUTOMATION_ONLY:
+    description: "Only accept pull requests from known automation tools"
+    required: false
+    default: "true"
 
 outputs:
   gerrit_change_request_url:
@@ -157,7 +175,8 @@ runs:
         set -euo pipefail
         uv --version
         # Install locally for self-testing, use uvx for external repos
-        if [[ "${{ github.repository }}" =~ lfreleng-actions/github2gerrit-action ]]; then
+        if [[ "${{ inputs.USE_LOCAL_ACTION }}" == "true" ]] || \
+           [[ "${{ github.repository }}" =~ lfreleng-actions/github2gerrit-action ]]; then
           echo "Installing with: uv pip install --system ${{ github.action_path }}"
           uv pip install --system ${{ github.action_path }}
         else
@@ -199,6 +218,16 @@ runs:
       run: |
         # Extract PR number, validate context
         set -euo pipefail
+
+        # Push events don't need PR_NUMBER (used for closing merged PRs)
+        # The CLI handles push events specially via _process_close_merged_prs()
+        if [[ "${{ github.event_name }}" == "push" ]]; then
+          echo "Push event detected - will process merged commits for PR closure"
+          # Set PR_NUMBER to empty to indicate this is intentional for push events
+          echo "PR_NUMBER=" >> "$GITHUB_ENV"
+          exit 0
+        fi
+
         # Honor PR_NUMBER or SYNC_ALL_OPEN_PRS set by workflow_dispatch
         if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
           if [[ -n "${SYNC_ALL_OPEN_PRS:-}" ]]; then
@@ -249,10 +278,13 @@ runs:
         ISSUE_ID: ${{ inputs.ISSUE_ID }}
         ISSUE_ID_LOOKUP_JSON: ${{ inputs.ISSUE_ID_LOOKUP_JSON }}
         CI_TESTING: ${{ inputs.CI_TESTING }}
+        CLOSE_MERGED_PRS: ${{ inputs.CLOSE_MERGED_PRS }}
+        FORCE: ${{ inputs.FORCE }}
         DUPLICATE_TYPES: ${{ inputs.DUPLICATE_TYPES }}
         NORMALISE_COMMIT: ${{ inputs.NORMALISE_COMMIT }}
         G2G_USE_SSH_AGENT: ${{ inputs.G2G_USE_SSH_AGENT }}
         G2G_VERBOSE: ${{ inputs.VERBOSE }}
+        AUTOMATION_ONLY: ${{ inputs.AUTOMATION_ONLY }}
 
         # Optional Gerrit overrides (when .gitreview is missing)
         GERRIT_SERVER: ${{ inputs.GERRIT_SERVER }}
@@ -280,8 +312,9 @@ runs:
       run: |
         # Run github2gerrit Python CLI
         set -euo pipefail
-        # Use different invocation methods based on repository
-        if [[ "${{ github.repository }}" =~ lfreleng-actions/github2gerrit-action ]]; then
+        # Use different invocation methods based on repository or USE_LOCAL_ACTION flag
+        if [[ "${{ inputs.USE_LOCAL_ACTION }}" == "true" ]] || \
+           [[ "${{ github.repository }}" =~ lfreleng-actions/github2gerrit-action ]]; then
           echo "Running:python -m github2gerrit.cli"
           python -m github2gerrit.cli
         else