-
Notifications
You must be signed in to change notification settings - Fork 27
49 lines (49 loc) · 1.8 KB
/
Copy pathauto-approve.yml
File metadata and controls
49 lines (49 loc) · 1.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
name: auto-approve
# Approves PRs carrying the 'auto-approve' label (e.g. the scheduled
# upgrade-main dependency PRs). pull_request_target is intentional and safe
# here: the job never checks out or executes PR code — it only calls the
# review API. Branch protection still requires the build workflow to pass.
#
# Trigger is `labeled` ONLY: each approval requires an explicit label event
# from someone with triage+ permission. Approving on `synchronize` would
# re-approve arbitrary future commits pushed to an already-labeled PR with no
# human re-review — combined with Mergify's auto-merge that is an
# unreviewed-merge path. The Mergify `dismiss stale approvals` rule is the
# other half of this invariant: a push invalidates the bot's prior approval,
# and re-approval requires removing and re-adding the label (deliberate
# friction: new content needs a fresh, explicit trigger).
on:
pull_request_target:
types:
- labeled
permissions:
actions: none
attestations: none
checks: none
contents: none
deployments: none
discussions: none
id-token: none
issues: none
models: none
packages: none
pages: none
pull-requests: none
repository-projects: none
security-events: none
statuses: none
jobs:
auto-approve:
runs-on: ubuntu-latest
permissions:
pull-requests: write
# Only act on the auto-approve label itself, and never on fork PRs —
# a fork head can be force-pushed by the fork owner after labeling.
if: |
github.event.label.name == 'auto-approve' &&
github.event.pull_request.head.repo.full_name == github.repository
steps:
- uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0
with:
github-token: ${{ secrets.AUTOMATION_GITHUB_TOKEN }}
review-message: Auto approved automated PR