fix(claude-automerge): check bypass label BEFORE path-scan

[topcoder1]

Summary

Fixes a workflow-design gap where the `auto-merge-approved` bypass label was unreachable for Claude PRs whose diff exceeded GitHub's 20k-line `gh pr diff` cap.

The path-scan step calls `gh pr diff "$PR" --name-only`, which returns HTTP 406 "Sorry, the diff exceeded the maximum number of lines (20000)" on oversized PRs. Combined with `set -euo pipefail`, the step exits 1 — and the workflow halts BEFORE ever evaluating the bypass label.

The bypass mechanism the policy advertises was inert on exactly the class of PR most likely to need it (large data drops, fixture refreshes, generated-code commits).

Live failure

Verified against topcoder1/attaxion_dev#71 (2026-05-04, 261k-line Tokio Stage C data drop):

• `classify / Classify PR Risk` → HTTP 406, exit 1
• `automerge / automerge` → HTTP 406, exit 1
• Applying the `auto-merge-approved` label triggered a re-run → same exit 1

Repo admin had to admin-override-merge through the GitHub UI.

Fix

Move the Option-A bypass label check up, before the path-scan, and gate the path-scan on `bypass != '1'` so oversized PRs skip the diff fetch entirely.

Step	Old order	New order
Detect Claude authorship	1	1
Check classifier_verdict label	2	2
Check Option-A bypass label	4	3 ← moved
Risk-tier path-scan	3	4 ← now gated on `bypass != '1'`
Check Option-B Codex bypass	5	5
Enable auto-merge	6	6

Scenarios traced

All 5 downstream conditions verified:

Scenario	Outcome
Claude + `risk:blocked`	unchanged (revoke + comment)
Claude + `auto-merge-approved` label	NEW: works for >20k-line PRs
Claude + non-risky paths, no bypass	unchanged
Claude + risky paths, no bypass	unchanged (Codex check decides)
Claude + risky paths + bypass label	functionally equivalent (path-scan log no longer appears, but the label IS the audit trail)

Auto-merge rationale

Reusable workflow change. Touches only step ordering + one if-condition. Fail-closed default preserved (any error in bypass_label step exits 1 via `set -euo pipefail` before risk runs, same as before). All 33 fleet callers get the fix automatically on next workflow_call. No caller-side changes needed.

Test plan

• `actionlint .github/workflows/claude-author-automerge.yml` clean
• `python -c "import yaml; yaml.safe_load(open('.github/workflows/claude-author-automerge.yml'))"` parses
• All 5 scenarios traced manually through every downstream step's `if:` condition; no breakage
• First fleet PR after merge with the bypass label exercises the new path (will surface naturally)

Refs

• topcoder1/attaxion_dev#71 — the live failure case
• Global `CLAUDE.md` auto-merge policy block (defines `risk_bypass_label: auto-merge-approved`)

🤖 Generated with Claude Code

[claude]

No issues found. Step reordering is logically sound — all downstream if: conditions correctly handle the empty risk.outputs.risky when the path-scan is skipped via bypass label.

[topcoder1]

Rebased onto latest main (clean — no conflicts; the existing diff still applies cleanly atop today's PR #70 + automerge changes). Validator confirms no phantom required-check in the ruleset (only required context is review / Claude Review and its workflow fires on pull_request). The 17-day mergeStateStatus: BLOCKED was stale state from before main moved — rebase + force-push refreshed all checks and re-armed auto-merge. Currently waiting on Claude Review + coverage + prettier to finish on the new HEAD; will land via --auto --squash once green.

[github-actions]

Coverage Floor — mode: enforce

metric	value
measured	100.0%
floor (current)	99.0%
target	100.0%
last bumped	2026-05-12

[claude]

No issues found. Step-reordering logic is correct across all 5 scenarios; downstream if: conditions handle skipped-step empty outputs cleanly.