## Trigger

Need GitHub to auto-merge a narrow class of PRs after CI while keeping the same
required check usable for every PR.

## Diagnosis

- GitHub required status checks are branch-level; if the required workflow is
  hidden behind `pull_request.paths`, some PRs may never report that check.
- A missing required check blocks merge even when the PR should be unrelated.
- Path/branch eligibility belongs inside the always-reporting job, not in the
  event trigger for the required workflow.

## Fix

- Make the required workflow run on every `pull_request`.
- Keep any `push: main` path filters if they are only an optimization.
- Add an internal guard step:
  - `if: startsWith(github.head_ref, 'card/')`
  - compute `git diff --name-only origin/<base>...HEAD`
  - run `python scripts/ai/guard_changed_paths.py --card-only-strict "${paths[@]}"`
- Configure repository auto-merge and branch protection:
  - `allow_auto_merge=true`
  - `main` requires strict `validate`
  - no required human reviews for the card lane
- For card publication, wait for `validate` to pass, then run:
  `gh pr merge <pr> --squash --auto`.
- Do not arm `gh pr merge --auto` before required checks are green; GitHub can
  reject pre-green auto-merge arming.

## Reuse Rule

Load when designing or debugging GitHub Actions required checks, auto-merge, or
branch/path eligibility for a narrow PR class such as `card/*`.