hmarr / auto-approve-action Goto Github PK

Hello,

It may sound like a dumb question but on the doc it says GITHUB_TOKEN should be checked.

Should we create too using "create a new secret" ? If yes, which permission are required for this TOKEN ? should it be created using a particular account ?

Thank you :)

ping @greysteil

Our workflow job failing since new changes added to the code. It's failing load auto-approe-action and throwing below error.

System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values. (Parameter ''using: node16' is not supported, use 'docker' or 'node12' instead.').

and also tried to use below action in our workflow to install node16

• uses: actions/setup-node@v2
  with:
  node-version: '16'
  cache: 'npm'
  • run: npm install

I have a use case where some workflows only apply if submitting code files (.py, .js, etc). There is an abbreviated workflow for documentation-only changes (.md, etc). Because of this, I can't "require" my workflows by name, just that any that report in aren't failing. There is also a bit of a race condition, it seems, where a PR can be merged when workflow jobs are running, but haven't report pass/fail.

With this in mind, I'd love to see it support rejecting PRs. My proposed workflow with that:

1. Start workflow
2. Reject PR
3. Tests
4. Coverage
5. Build
6. ...
7. Approve PR

Anyone with write access to the repo who wants to bypass code review requirements can effectively do so by adding a github action that approves their PR. I think this should be clearly documented near the dependabot use-case (unless there's something I'm unaware of that can be done to prevent this).

Is there any way to make this satisfy the "Require review from codeowners" branch protection rule?

I tried adding the user github-actions to the CODEOWNERS file for the dependency files (i.e. package.json, yarn.lock), but unfortunately that does not seem to work.

I'm hoping there is some way I can require a review from a codeowner in general, but allow this action's approval to be sufficient for dependency PR's.

Thanks for this action!

It seems that there hasn't been a new tag in a while. Would it be possible to publish a new tag? I prefer my actions to point to a tag and not a branch for stability.

Recently (last 2 weeks)
This action has started failing frequently in our builds, the only error being 'Not Found' there is no indication what is not found
Often retrying fixes this, however previously this was working very reliably

See #180 for some details on this issue.

March 1st, Github changed the GITHUB_TOKEN to be read-only for all workflows. See the announcement dated Feb 19, 2020. This has to do with security vulnerabilities with using the pull_request_target trigger and scoping permissions. See guide on Preventing Pwn Requests.

Unfortunately this breaks the integration as seen here:

Changing the trigger to pull_request does not fix it because write permissions are needed to create a review of the PR.

While I don't have a solution for fixing this I have reconfigured my job to look like this per the security guidelines, primarily using labels:

name: auto approve
on:
  pull_request_target:
    types: [labeled]

jobs:
  auto-approve:
    runs-on: ubuntu-latest
    steps:
      - uses: hmarr/[email protected]
        if: github.actor == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'dependencies')
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"

I want to thank @skjnldsv and @alexwilson for having provided the context I needed to dig into this.

Hi!
Looks like there is an issue with refreshing stale reviews when there is more than one. Only 1st stale review is refreshed in this case. So it is not possible to approve PR automatically if 2 or more reviews is required by branch protection rules.

Example config:

      - name: Add approval 1
        uses: hmarr/auto-approve-action@v3
        with:
          github-token: ${{ secrets.TOKEN1 }}

      - name: Add approval 2
        uses: hmarr/auto-approve-action@v3

Steps to reproduce:

1. Create workflow with steps above
2. Wait for approvals and then push another commit to dismiss initial reviews

Actual behavior:
Only one review refreshed

Expected behavior:
All reviews refreshed

Hi I am trying to automate all dependabot PRs but the action does not appear to be triggered. The actor for the PRs is a user in our team (me or another eng).

We removed the if condition and just assumed all branches with dependabot/ as prefix could be safely approved (it's a private repo).

This seems to have no effect

name: Auto approve

on:
  pull_request:
    branches:
    - "dependabot/**"

jobs:
  approve:
    name: Auto-approve dependabot PRs
    runs-on: ubuntu-latest
    steps:
    - uses: hmarr/[email protected]
      with:
        github-token: "${{ secrets.GITHUB_TOKEN }}"

With

name: Auto approve

on:
  pull_request

jobs:
  auto-approve:
    runs-on: ubuntu-latest
    steps:
      - uses: hmarr/[email protected]
        if: github.actor == 'scala-steward'
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"

we get
https://github.com/zio/zio-prelude/pull/301/checks?check_run_id=1146830048#step:2:4

2020-09-21T23:47:05.5371413Z ##[section]Starting: Request a runner to run this job
2020-09-21T23:47:05.8573243Z Can't find any online and idle self-hosted runner in current repository that matches the required labels: 'ubuntu-latest'
2020-09-21T23:47:05.8573769Z Can't find any online and idle self-hosted runner in current repository's account/organization that matches the required labels: 'ubuntu-latest'
2020-09-21T23:47:05.8574756Z Found online and idle hosted runner in current repository's account/organization that matches the required labels: 'ubuntu-latest'
2020-09-21T23:47:05.9896241Z ##[section]Finishing: Request a runner to run this job
2020-09-21T23:47:13.3495011Z Current runner version: '2.273.2'
2020-09-21T23:47:13.3526627Z ##[group]Operating System
2020-09-21T23:47:13.3527466Z Ubuntu
2020-09-21T23:47:13.3527798Z 18.04.5
2020-09-21T23:47:13.3528109Z LTS
2020-09-21T23:47:13.3528451Z ##[endgroup]
2020-09-21T23:47:13.3528872Z ##[group]Virtual Environment
2020-09-21T23:47:13.3529366Z Environment: ubuntu-18.04
2020-09-21T23:47:13.3529732Z Version: 20200914.1
2020-09-21T23:47:13.3530577Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu18/20200914.1/images/linux/Ubuntu1804-README.md
2020-09-21T23:47:13.3531497Z ##[endgroup]
2020-09-21T23:47:13.3532662Z Prepare workflow directory
2020-09-21T23:47:13.3715625Z Prepare all required actions
2020-09-21T23:47:13.3729431Z Download action repository 'hmarr/[email protected]'
2020-09-21T23:47:16.0791854Z ##[group]Run hmarr/[email protected]
2020-09-21T23:47:16.0792488Z with:
2020-09-21T23:47:16.0793409Z   github-token: ***
2020-09-21T23:47:16.0793769Z ##[endgroup]
2020-09-21T23:47:16.9667270Z ##[error]Resource not accessible by integration
2020-09-21T23:47:16.9705943Z Cleaning up orphan processes

Does anybody have any idea what's going on?
Thank you

Is it possible to run this action right after another action has created a pull request?

Neither push event nor pull_request in my case trigger this action.

At the same time, it’s also not very clear how to correctly filter PR made by an action. Should it be if: github.actor == 'github-action' or if: github.actor == 'github-action[bot]' or something else?

Node 12 and 16 has reached its end of life, prompting us to initiate its deprecation process for GitHub Actions. Our plan is to transition all actions to run on Node 20 by Spring 2024. We will actively monitor the migration's progress and gather community feedback before finalizing the transition date. Starting October 23rd, workflows containing actions running on Node 16 will display a warning to alert users about the upcoming migration.

Steps to reproduce:

1. Setup action, create a PR, and have it auto reviewed
2. Request for re-review in PR, without further code changes, review status should be something like this
   
3. Trigger auto-approve-action

Actual output:
Does not do a re-review, but logs a warning: Current user already approved pull request #31, nothing to do, despite the PR needing a re-review

Expected output:
auto-approve-action should perform a re-review as the status is "Awaiting requested review...", if re-review is successful, status should be updated to "Approved"

Here's a sample PR: vincejv/fpi-framework#31

Hi, it says in your documentation:
"To approve the pull request as a different user, pass a GitHub Personal Access Token into the github-token input"
My question is, what access does this action need?

Hello,

I have a case where I would like to auto-approve a PR created by a script. But not sure the auto approve will work using the same CIRCLECI TOKEN that was used to create the PR

Do you have an idea about that?

Thank you

Hello again,

When working with large repositories number (we currently have 300+) on which 50+% of them have dependabot.

When we manage to deploy the auto-approve-action to all of those repositories, i'm afraid, we're going to hit the limit since dependabot is set to open pull requests on daily or weekly basis on those repositories.

Do you have any hints on this subject ?

GitHub Actions now uses YAML syntax in workflow files. Support for the HCL syntax in GitHub Actions will be deprecated on September 30, 2019. To continue using workflows that you created with the HCL syntax, you'll need to migrate the workflow files to the new YAML syntax using the migration script.

See: https://help.github.com/en/articles/migrating-github-actions-from-hcl-syntax-to-yaml-syntax#about-the-new-yaml-syntax-for-github-actions

I've been using this action with some of my repos that don't have any other contributors yet to let me keep my branch protection rules consistent and not have to override things all the time. Basically, it auto-approves any PRs from me[1].

I had been using this on another repo for the last week, so I know it worked. But, when I tried to add it to this repo, it started failing for no apparent reason with a cryptic error message:

2020-01-14T05:48:07.4882141Z ##[section]Starting: Request a runner to run this job
2020-01-14T05:48:07.9248081Z Requesting a hosted runner in current repository's account/organization with labels: 'ubuntu-latest', require runner match: True
2020-01-14T05:48:07.9748667Z Labels matched hosted runners has been found, waiting for one of them get assigned for this job.
2020-01-14T05:48:07.9898495Z ##[section]Finishing: Request a runner to run this job
2020-01-14T05:48:15.4563923Z Current runner version: '2.163.1'
2020-01-14T05:48:15.4565022Z Prepare workflow directory
2020-01-14T05:48:15.4750214Z Prepare all required actions
2020-01-14T05:48:15.4773005Z Download action repository 'hmarr/[email protected]'
2020-01-14T05:48:17.4438421Z ##[group]Run hmarr/[email protected]
2020-01-14T05:48:17.4438799Z with:
2020-01-14T05:48:17.4439111Z   github-token: ***
2020-01-14T05:48:17.4439269Z ##[endgroup]
>> 2020-01-14T05:48:18.0912619Z ##[error]Unprocessable Entity
>> 2020-01-14T05:48:18.0926535Z ##[error]Node run failed with exit code 1
2020-01-14T05:48:18.0945674Z Cleaning up orphan processes

I was at a loss for what this might mean, though searches indicated that this is the error that a lot of GitHub APIs give when you try to create something twice.

After much frustration, I finally tried duplicating the exact scenario on my first repo (the config files were already identical but I had been using a different token, though with the same permissions) by setting the token in question to one from the same user (my bot with admin access). ...after doing this, and it working, I realized my mistake: the action was using my user's token to attempt to approve a PR from itself. 🤦‍♂

Hindsight 20/20, but this would actually be something that would be really good to check for, if possible. At the very least, a more useful error message and/or optional debug logging would be helpful.

[1] https://github.com/mattsb42/repo-admin/blob/master/.github/workflows/ops_auto-approve-me.yaml

We have a requirement where we do not want to auto-approve PR if at least one modified file in the PR does not match the path for which the Github action is defined.

For example, considering following directory structure:

- dev
   |- deployment.yml 
- prd
   |- deployment.yml

We want all changes into dev directory to be auto-approved. But does not want to auto-approve any changes into prd.

We have following workflow action configured:

name: Auto Approve
on:
  pull_request:
    paths:
      - 'dev/**'
      - '!prd/**'
jobs:
  automerge:
    runs-on: ubuntu-latest
    steps:
      - name: Auto Approve
        uses: hmarr/[email protected]
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"

This works fine when we have changes either in the dev directory or in the prd directory. But when we have changes in both dev and prd directory then also it auto-approves as there is at least one file in the PR which matches the path.

This seems expected as per the documentation for path

I was wondering if we can do anything on the action to block auto-approve if at least one file does not match the path.

Hello,

On a repository, we have a rule that force 2 reviewers minimum;

Would you think it'd be possible to configure this action to approve twice (or any configurable numbers) the pull request ?

Thanks;

Hello, hope you are doing great.

• Thank you for this awesome workflow action :)
• My aim is: when a PR is submitted by bot, it should be auto-approved by code-owner and not github-actions.
• PR from bot is identified using github.actor.
• Followed README and setup following action:

name: Auto approve

on:
  pull_request

jobs:        
  auto-approve:
    runs-on: ubuntu-latest
    steps:
    - uses: hmarr/[email protected]
      if: (github.actor == 'awsgitbot' || github.actor == 'awsgitbot')
      with:
        github-token: "${{ secrets.GITHUB_TOKEN }}"

• auto-approve works as expected, but the approval is done by github-actions and not by code owner.
• when the condition is updated to: (github.actor == 'awsgitbot' || github.actor == 'awsgitbot') && contains(github.event.pull_request.body, 'will automatically merge'), no approval is performed.
• please lmk if any other info is needed and guide me on same. appreciate your help and time.

At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.

Below you can see the KB of your GITHUB Action.

name: 'Auto Approve'
github-token:
  action-input:
    input: github-token
    is-default: false
  permissions:
    pull-requests: write
    pull-requests-reason: to approve PRs #Checkout: https://github.com/hmarr/auto-approve-action/blob/6a9ec7556f0a7fa5b49527a1eea4878b8a22d2e0/src/approve.ts#L27
#Fixes #505

If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.

This issue is automatically created by our analysis bot, feel free to close after reading :)

References:

GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.

Hi, I'm getting this error when attempting to run auto-approve for dependabot PRs. The full workflow:

name: "Auto approve Dependabot updates"

on: pull_request

jobs:
  approve:
    name: Auto approve dependabot pull requests
    if: github.actor == 'dependabot[bot]'
    runs-on: ubuntu-latest
    steps:
      - uses: hmarr/auto-approve-action@v2
        with:
          github-token: "${{ secrets.GITHUB_TOKEN }}"

The GITHUB_TOKEN secret is the default actions token.
But I'm getting the following output:

Run hmarr/auto-approve-action@v2
  with:
    github-token: ***
Creating approving review for pull request #51
Error: Resource not accessible by integration. In some cases, the GitHub token used for actions triggered from `pull_request` events are read-only, which can cause this problem. Switching to the `pull_request_target` event typically resolves this issue.

I seem to remember this working before. Not sure what has changed. Any ideas?

I'm wondering if the above is possible using the action you've developed?

Removed

Hello,

I have a use case in which PRs are auto-approved when changes are made to files located in some repo path. However, users could push new commits that contain changes to files outside of the auto-approved file path. At that point, it'd be amazing to dismiss the "stale" review and not auto-approve anymore. Is this supported? If so, feel free to point me to docs, ofc!

Use of this action in its current form (and examples) puts users at risk of a race condition variant of pull request hijacking.

The way such an attack would work is this: As a user who has write access to a repo but is NOT supposed to be able to merge code on my own, I wait until an automated workflow creates a PR that will be auto-approved by this action. If I can push my own malicious commit onto the PR branch in the moment between when the PR is created and this action is run to approve the PR, the malicious commit will be approved.

Fortunately, there is a straightforward way to fix this! If you allow specifying the commit_id to be approved, even if a malicious commit is pushed onto the branch before the approval action fires, the approval won't allow merging the malicious commit because the approval will be non-current.

It would be used in a workflow like this:

      - name: Create Pull Request
        id: create-pull-request
        uses: peter-evans/create-pull-request@v5
      - name: Generate Token (Approver)
        id: generate-approver-token
        uses: tibdex/github-app-token@v1
        if: ${{ steps.create-pull-request.outputs.pull-request-number }}
        with:
          app_id: ${{ secrets.APPROVER_APP_ID }}
          private_key: ${{ secrets.APPROVER_APP_PRIVATE_KEY }}
      - name: Approve Pull Request
        uses: hmarr/auto-approve-action@v3
        if: ${{ steps.generate-approver-token.outputs.token }}
        with:
          commit-id: ${{ steps.create-pull-request.outputs.pull-request-head-sha }}
          github-token: ${{ steps.generate-approver-token.outputs.token }}
          pull-request-number: ${{ steps.create-pull-request.outputs.pull-request-number }}

While using this action with workflows, I receive the following error:

2019/08/12 19:50:43 parsing time ""6/11/2019 1:51:07 PM"" as ""2006-01-02T15:04:05Z07:00"": cannot parse "/2019 1:51:07 PM"" as "2006"

I was a bit confused that the action passed even though I forgot to add a GitHub token to my "Secrets":

When the action has an error it should actually throw that error and make the build step fail.

What should this error means?

After making a change to an approved path, every subsequent commit triggers a new approval. The logs say it is looking for existing reviews, but seems to not find the last one.

Logs from the second run:

Fetching user, pull request information, and existing reviews
Current user is github-actions[bot]
Commit SHA is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Pull request #123 has not been approved yet, creating approving review
Approved pull request #123

workflow config:

name: Auto approval
on:
  pull_request:
    branches:
      - main
    paths:
      - 'some-dir/**'
jobs:
  auto-approve:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    steps:
      - uses: hmarr/auto-approve-action@v3
        with:
          review-message: "Automatic approval of ..."

Perhaps there's a missing permission that is preventing it from fetching existing reviews?

Hi,

When using this role, it leads to a syntax error. I don't know what I did wrong though.

workflow "Auto Approve" {
  on = "pull_request"
  resolves = ["hmarr/auto-approve-action"]
}

action "Filters for GitHub Actions" {
  uses = "actions/bin/filter@3c0b4f0e63ea54ea5df2914b4fabf383368cd0da"
  args = "actor dependabot[bot]"
}

action "hmarr/auto-approve-action" {
  uses = "hmarr/auto-approve-action"
  needs = ["Filters for GitHub Actions"]
  secrets = ["GITHUB_TOKEN"]
}

Error is the following:

Parse error
Line 12: The `uses' attribute must be a path, a Docker image, or owner/repo@ref

Solution:

You need to edit:
uses = "hmarr/auto-approve-action"
to
uses = "hmarr/auto-approve-action@master" (if you want to use the master branch)

Hi,

The github action fails somestimes for no reason with value:

### ERRORED 13:47:41Z

- GITHUB_TOKEN secret does not exist

I added the action, then updated a PR, then saw the action run. However, while the action succeeded, no approval was added to the PR. Am I doing something wrong? I saw the "Run hmarr/auto-approve-action" is a grey circle rather than a green checkmark-- did it fail to actually run? Here is the PR.

Dependabot couldn't find a go.mod for this project.

Dependabot requires a go.mod to evaluate your project's current Go dependencies. It had expected to find one at the path: /go.mod.

If this isn't a Go project, or if it is a library, you may wish to disable updates for it from within Dependabot.

You can mention @dependabot in the comments below to contact the Dependabot team.