auto-unapprove/example-workflow.yml at main · step-security/auto-unapprove · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
name: Auto Unapprove Reviews

on:
  # Trigger when PR is synchronized (new commits)
  pull_request:
    types: [synchronize]

  # Optional: Allow manual trigger
  workflow_dispatch:
    inputs:
      pr-number:
        description: "PR Number"
        required: true
        type: number
      dry-run:
        description: "Dry run mode"
        required: false
        default: true
        type: boolean

jobs:
  auto-unapprove:
    runs-on: ubuntu-latest
    env:
      ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }}

    steps:
      # Create GitHub App token with necessary permissions for team access
      - name: Create GitHub App Token
        uses: actions/create-github-app-token@v3
        id: app-token
        with:
          app-id: ${{ vars.REVIEWS_APP_ID }}
          private-key: ${{ secrets.REVIEWS_APP_PRIVATE_KEY }}
          # Add repositories and permissions as needed
          repositories: ${{ github.repository }}

      # Dry run first (safe analysis)
      - name: Analyze Reviews (Dry Run)
        uses: step-security/auto-unapprove@v1
        with:
          github-token: ${{ steps.app-token.outputs.token }}
          pr-number: ${{ github.event.number || github.event.inputs.pr-number }}
          dry-run: "true"
          code-owners-file: "CODEOWNERS" # Optional: custom path
          target-branch: ${{ github.event.pull_request.base.ref }}
          team-start-with: "@" # Team prefix - use '@your-org/' for org-specific teams

---
# Alternative: Using GITHUB_TOKEN (limited team access)
name: Auto Unapprove (Basic)

on:
  pull_request:
    types: [synchronize]

jobs:
  auto-unapprove-basic:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write

    steps:
      - name: Dismiss Stale Reviews
        uses: step-security/auto-unapprove@v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          pr-number: ${{ github.event.number }}
          dry-run: "false"
          code-owners-file: ".github/CODEOWNERS"
          target-branch: ${{ github.event.pull_request.base.ref }}
          team-start-with: "@"

---
# Advanced: Conditional execution
name: Auto Unapprove (Conditional)

on:
  pull_request:
    types: [synchronize]

jobs:
  auto-unapprove-advanced:
    runs-on: ubuntu-latest
    # Only run for non-draft PRs with changes
    if: |
      !github.event.pull_request.draft &&
      github.event.pull_request.changed_files > 0

    steps:
      - name: Create GitHub App Token
        uses: actions/create-github-app-token@v3
        id: app-token
        with:
          app-id: ${{ vars.REVIEWS_APP_ID }}
          private-key: ${{ secrets.REVIEWS_APP_PRIVATE_KEY }}

      # Run only on certain file patterns
      - name: Check Changed Files
        id: changes
        uses: dorny/paths-filter@v2
        with:
          filters: |
            code:
              - 'src/**'
              - 'lib/**'
              - '*.py'
              - '*.js'
              - '*.ts'

      - name: Dismiss Reviews (Code Changes Only)
        if: steps.changes.outputs.code == 'true'
        uses: step-security/auto-unapprove@v1
        with:
          github-token: ${{ steps.app-token.outputs.token }}
          pr-number: ${{ github.event.number }}
          dry-run: "false"
          target-branch: ${{ github.event.pull_request.base.ref }}
          team-start-with: "@myorg/" # Organization-specific team prefix

---
# Multi-repository setup
name: Auto Unapprove (Multi-repo)

on:
  pull_request:
    types: [synchronize]

jobs:
  auto-unapprove-multi:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        config:
          - repo: "frontend"
            codeowners: ".github/CODEOWNERS"
            team_prefix: "@frontend-org/"
          - repo: "backend"
            codeowners: "CODEOWNERS"
            team_prefix: "@backend-org/"
          - repo: "docs"
            codeowners: "docs/CODEOWNERS"
            team_prefix: "@"

    steps:
      - name: Create GitHub App Token
        uses: actions/create-github-app-token@v3
        id: app-token
        with:
          app-id: ${{ vars.REVIEWS_APP_ID }}
          private-key: ${{ secrets.REVIEWS_APP_PRIVATE_KEY }}
          repositories: myorg/${{ matrix.config.repo }}

      - name: Dismiss Reviews
        uses: step-security/auto-unapprove@v1
        with:
          github-token: ${{ steps.app-token.outputs.token }}
          pr-number: ${{ github.event.number }}
          dry-run: "false"
          code-owners-file: ${{ matrix.config.codeowners }}
          target-branch: ${{ github.event.pull_request.base.ref }}
          team-start-with: ${{ matrix.config.team_prefix }}