chore: remove release notes override #144
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Auto-approve | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: auto-approve-${{ github.event.pull_request.number || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| auto-approve: | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 5 | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| if: >- | |
| github.event.pull_request.user.login != 'github-actions[bot]' && | |
| (github.actor == 'SebTardif' || | |
| github.actor == 'patchloom-release[bot]') | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - name: Approve PR | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: gh pr review --approve "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" | |
| # Check for workflow file changes early (to decide whether we can safely use App token for auto-merge). | |
| # This step is made robust so a transient gh failure does not fail the job (approve step already ran). | |
| - name: Check for workflow file changes (use GITHUB_TOKEN fallback to avoid needing workflows:write on App) | |
| id: wf-changes | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| pr="${{ github.event.pull_request.number }}" | |
| files=$(gh pr view "$pr" --json files --jq '.files[].path' || echo "") | |
| if echo "$files" | grep -q '^\.github/workflows/'; then | |
| echo "changes=true" >> "$GITHUB_OUTPUT" | |
| echo "PR touches .github/workflows/; will use GITHUB_TOKEN for auto-merge (no workflows:write needed on App)" | |
| else | |
| echo "changes=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| if: github.event.pull_request.user.login != 'patchloom-release[bot]' && steps.wf-changes.outputs.changes != 'true' | |
| id: app-token | |
| with: | |
| client-id: ${{ vars.APP_CLIENT_ID }} | |
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | |
| # Strong guard against accidental/automated release PR merges is also | |
| # implemented here (label check below) and via scripts/guard-no-release-merge.sh. | |
| # See AGENTS.md "Release PRs - Strong Guard" section. | |
| - name: 'Strong guard - detect release-please PRs (autorelease: pending label)' | |
| id: release-guard | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| pr="${{ github.event.pull_request.number }}" | |
| labels=$(gh pr view "$pr" --json labels --jq '.labels[].name' || true) | |
| if echo "$labels" | grep -q 'autorelease: pending'; then | |
| echo "is_release_pr=true" >> "$GITHUB_OUTPUT" | |
| echo "Release PR detected by label 'autorelease: pending' - will skip auto-merge (user must explicitly approve merges of release PRs)" | |
| else | |
| echo "is_release_pr=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Enable auto-merge (App token when no wf changes; GITHUB_TOKEN fallback otherwise) | |
| if: >- | |
| github.event.pull_request.user.login != 'patchloom-release[bot]' && | |
| steps.release-guard.outputs.is_release_pr != 'true' | |
| env: | |
| GH_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }} | |
| run: | | |
| gh pr merge --auto --squash "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}" \ | |
| || echo "Could not enable auto-merge (common when PR modifies .github/workflows/* using GITHUB_TOKEN fallback, or release guard, or other). Approval from prior step still applies; use manual merge if needed." |