hmarr / auto-approve-action Goto Github PK
View Code? Open in Web Editor NEWπ GitHub Action for automatically approving GitHub pull requests
License: MIT License
π GitHub Action for automatically approving GitHub pull requests
License: MIT License
Hello,
It may sound like a dumb question but on the doc it says GITHUB_TOKEN
should be checked.
Should we create too using "create a new secret" ? If yes, which permission are required for this TOKEN ? should it be created using a particular account ?
Thank you :)
ping @greysteil
Our workflow job failing since new changes added to the code. It's failing load auto-approe-action and throwing below error.
System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values. (Parameter ''using: node16' is not supported, use 'docker' or 'node12' instead.').
and also tried to use below action in our workflow to install node16
I have a use case where some workflows only apply if submitting code files (.py
, .js
, etc). There is an abbreviated workflow for documentation-only changes (.md
, etc). Because of this, I can't "require" my workflows by name, just that any that report in aren't failing. There is also a bit of a race condition, it seems, where a PR can be merged when workflow jobs are running, but haven't report pass/fail.
With this in mind, I'd love to see it support rejecting PRs. My proposed workflow with that:
Anyone with write access to the repo who wants to bypass code review requirements can effectively do so by adding a github action that approves their PR. I think this should be clearly documented near the dependabot use-case (unless there's something I'm unaware of that can be done to prevent this).
Is there any way to make this satisfy the "Require review from codeowners" branch protection rule?
I tried adding the user github-actions
to the CODEOWNERS file for the dependency files (i.e. package.json, yarn.lock), but unfortunately that does not seem to work.
I'm hoping there is some way I can require a review from a codeowner in general, but allow this action's approval to be sufficient for dependency PR's.
Thanks for this action!
It seems that there hasn't been a new tag in a while. Would it be possible to publish a new tag? I prefer my actions to point to a tag and not a branch for stability.
Recently (last 2 weeks)
This action has started failing frequently in our builds, the only error being 'Not Found' there is no indication what is not found
Often retrying fixes this, however previously this was working very reliably
See #180 for some details on this issue.
March 1st, Github changed the GITHUB_TOKEN
to be read-only for all workflows. See the announcement dated Feb 19, 2020. This has to do with security vulnerabilities with using the pull_request_target
trigger and scoping permissions. See guide on Preventing Pwn Requests.
Unfortunately this breaks the integration as seen here:
Changing the trigger to pull_request
does not fix it because write
permissions are needed to create a review of the PR.
While I don't have a solution for fixing this I have reconfigured my job to look like this per the security guidelines, primarily using labels:
name: auto approve
on:
pull_request_target:
types: [labeled]
jobs:
auto-approve:
runs-on: ubuntu-latest
steps:
- uses: hmarr/[email protected]
if: github.actor == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'dependencies')
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
I want to thank @skjnldsv and @alexwilson for having provided the context I needed to dig into this.
Hi!
Looks like there is an issue with refreshing stale reviews when there is more than one. Only 1st stale review is refreshed in this case. So it is not possible to approve PR automatically if 2 or more reviews is required by branch protection rules.
Example config:
- name: Add approval 1
uses: hmarr/auto-approve-action@v3
with:
github-token: ${{ secrets.TOKEN1 }}
- name: Add approval 2
uses: hmarr/auto-approve-action@v3
Steps to reproduce:
Actual behavior:
Only one review refreshed
Expected behavior:
All reviews refreshed
Hi I am trying to automate all dependabot
PRs but the action does not appear to be triggered. The actor
for the PRs is a user in our team (me or another eng).
We removed the if
condition and just assumed all branches with dependabot/
as prefix could be safely approved (it's a private repo).
This seems to have no effect
name: Auto approve
on:
pull_request:
branches:
- "dependabot/**"
jobs:
approve:
name: Auto-approve dependabot PRs
runs-on: ubuntu-latest
steps:
- uses: hmarr/[email protected]
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
With
name: Auto approve
on:
pull_request
jobs:
auto-approve:
runs-on: ubuntu-latest
steps:
- uses: hmarr/[email protected]
if: github.actor == 'scala-steward'
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
we get
https://github.com/zio/zio-prelude/pull/301/checks?check_run_id=1146830048#step:2:4
2020-09-21T23:47:05.5371413Z ##[section]Starting: Request a runner to run this job
2020-09-21T23:47:05.8573243Z Can't find any online and idle self-hosted runner in current repository that matches the required labels: 'ubuntu-latest'
2020-09-21T23:47:05.8573769Z Can't find any online and idle self-hosted runner in current repository's account/organization that matches the required labels: 'ubuntu-latest'
2020-09-21T23:47:05.8574756Z Found online and idle hosted runner in current repository's account/organization that matches the required labels: 'ubuntu-latest'
2020-09-21T23:47:05.9896241Z ##[section]Finishing: Request a runner to run this job
2020-09-21T23:47:13.3495011Z Current runner version: '2.273.2'
2020-09-21T23:47:13.3526627Z ##[group]Operating System
2020-09-21T23:47:13.3527466Z Ubuntu
2020-09-21T23:47:13.3527798Z 18.04.5
2020-09-21T23:47:13.3528109Z LTS
2020-09-21T23:47:13.3528451Z ##[endgroup]
2020-09-21T23:47:13.3528872Z ##[group]Virtual Environment
2020-09-21T23:47:13.3529366Z Environment: ubuntu-18.04
2020-09-21T23:47:13.3529732Z Version: 20200914.1
2020-09-21T23:47:13.3530577Z Included Software: https://github.com/actions/virtual-environments/blob/ubuntu18/20200914.1/images/linux/Ubuntu1804-README.md
2020-09-21T23:47:13.3531497Z ##[endgroup]
2020-09-21T23:47:13.3532662Z Prepare workflow directory
2020-09-21T23:47:13.3715625Z Prepare all required actions
2020-09-21T23:47:13.3729431Z Download action repository 'hmarr/[email protected]'
2020-09-21T23:47:16.0791854Z ##[group]Run hmarr/[email protected]
2020-09-21T23:47:16.0792488Z with:
2020-09-21T23:47:16.0793409Z github-token: ***
2020-09-21T23:47:16.0793769Z ##[endgroup]
2020-09-21T23:47:16.9667270Z ##[error]Resource not accessible by integration
2020-09-21T23:47:16.9705943Z Cleaning up orphan processes
Does anybody have any idea what's going on?
Thank you
Is it possible to run this action right after another action has created a pull request?
Neither push
event nor pull_request
in my case trigger this action.
At the same time, itβs also not very clear how to correctly filter PR made by an action. Should it be if: github.actor == 'github-action'
or if: github.actor == 'github-action[bot]'
or something else?
Node 12 and 16 has reached its end of life, prompting us to initiate its deprecation process for GitHub Actions. Our plan is to transition all actions to run on Node 20 by Spring 2024. We will actively monitor the migration's progress and gather community feedback before finalizing the transition date. Starting October 23rd, workflows containing actions running on Node 16 will display a warning to alert users about the upcoming migration.
Steps to reproduce:
auto-approve-action
Actual output:
Does not do a re-review, but logs a warning: Current user already approved pull request #31, nothing to do
, despite the PR needing a re-review
Expected output:
auto-approve-action
should perform a re-review as the status is "Awaiting requested review...", if re-review is successful, status should be updated to "Approved"
Here's a sample PR: vincejv/fpi-framework#31
Hi, it says in your documentation:
"To approve the pull request as a different user, pass a GitHub Personal Access Token into the github-token input"
My question is, what access does this action need?
Hello,
I have a case where I would like to auto-approve a PR created by a script. But not sure the auto approve will work using the same CIRCLECI TOKEN that was used to create the PR
Do you have an idea about that?
Thank you
Hello again,
When working with large repositories number (we currently have 300+) on which 50+% of them have dependabot.
When we manage to deploy the auto-approve-action
to all of those repositories, i'm afraid, we're going to hit the limit since dependabot is set to open pull requests on daily or weekly basis on those repositories.
Do you have any hints on this subject ?
GitHub Actions now uses YAML syntax in workflow files. Support for the HCL syntax in GitHub Actions will be deprecated on September 30, 2019. To continue using workflows that you created with the HCL syntax, you'll need to migrate the workflow files to the new YAML syntax using the migration script.
I've been using this action with some of my repos that don't have any other contributors yet to let me keep my branch protection rules consistent and not have to override things all the time. Basically, it auto-approves any PRs from me[1].
I had been using this on another repo for the last week, so I know it worked. But, when I tried to add it to this repo, it started failing for no apparent reason with a cryptic error message:
2020-01-14T05:48:07.4882141Z ##[section]Starting: Request a runner to run this job
2020-01-14T05:48:07.9248081Z Requesting a hosted runner in current repository's account/organization with labels: 'ubuntu-latest', require runner match: True
2020-01-14T05:48:07.9748667Z Labels matched hosted runners has been found, waiting for one of them get assigned for this job.
2020-01-14T05:48:07.9898495Z ##[section]Finishing: Request a runner to run this job
2020-01-14T05:48:15.4563923Z Current runner version: '2.163.1'
2020-01-14T05:48:15.4565022Z Prepare workflow directory
2020-01-14T05:48:15.4750214Z Prepare all required actions
2020-01-14T05:48:15.4773005Z Download action repository 'hmarr/[email protected]'
2020-01-14T05:48:17.4438421Z ##[group]Run hmarr/[email protected]
2020-01-14T05:48:17.4438799Z with:
2020-01-14T05:48:17.4439111Z github-token: ***
2020-01-14T05:48:17.4439269Z ##[endgroup]
>> 2020-01-14T05:48:18.0912619Z ##[error]Unprocessable Entity
>> 2020-01-14T05:48:18.0926535Z ##[error]Node run failed with exit code 1
2020-01-14T05:48:18.0945674Z Cleaning up orphan processes
I was at a loss for what this might mean, though searches indicated that this is the error that a lot of GitHub APIs give when you try to create something twice.
After much frustration, I finally tried duplicating the exact scenario on my first repo (the config files were already identical but I had been using a different token, though with the same permissions) by setting the token in question to one from the same user (my bot with admin access). ...after doing this, and it working, I realized my mistake: the action was using my user's token to attempt to approve a PR from itself. π€¦ββ
Hindsight 20/20, but this would actually be something that would be really good to check for, if possible. At the very least, a more useful error message and/or optional debug logging would be helpful.
[1] https://github.com/mattsb42/repo-admin/blob/master/.github/workflows/ops_auto-approve-me.yaml
We have a requirement where we do not want to auto-approve PR if at least one modified file in the PR does not match the path
for which the Github action is defined.
For example, considering following directory structure:
- dev
|- deployment.yml
- prd
|- deployment.yml
We want all changes into dev
directory to be auto-approved. But does not want to auto-approve any changes into prd
.
We have following workflow action configured:
name: Auto Approve
on:
pull_request:
paths:
- 'dev/**'
- '!prd/**'
jobs:
automerge:
runs-on: ubuntu-latest
steps:
- name: Auto Approve
uses: hmarr/[email protected]
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
This works fine when we have changes either in the dev
directory or in the prd
directory. But when we have changes in both dev
and prd
directory then also it auto-approves as there is at least one file in the PR which matches the path
.
This seems expected as per the documentation for path
I was wondering if we can do anything on the action to block auto-approve if at least one file does not match the path
.
Hello,
On a repository, we have a rule that force 2 reviewers minimum;
Would you think it'd be possible to configure this action to approve twice (or any configurable numbers) the pull request ?
Thanks;
Hello, hope you are doing great.
github.actor
.name: Auto approve
on:
pull_request
jobs:
auto-approve:
runs-on: ubuntu-latest
steps:
- uses: hmarr/[email protected]
if: (github.actor == 'awsgitbot' || github.actor == 'awsgitbot')
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
(github.actor == 'awsgitbot' || github.actor == 'awsgitbot') && contains(github.event.pull_request.body, 'will automatically merge')
, no approval is performed.At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.
Below you can see the KB of your GITHUB Action.
name: 'Auto Approve'
github-token:
action-input:
input: github-token
is-default: false
permissions:
pull-requests: write
pull-requests-reason: to approve PRs #Checkout: https://github.com/hmarr/auto-approve-action/blob/6a9ec7556f0a7fa5b49527a1eea4878b8a22d2e0/src/approve.ts#L27
#Fixes #505
If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.
This issue is automatically created by our analysis bot, feel free to close after reading :)
GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.
Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.
Hi, I'm getting this error when attempting to run auto-approve for dependabot PRs. The full workflow:
name: "Auto approve Dependabot updates"
on: pull_request
jobs:
approve:
name: Auto approve dependabot pull requests
if: github.actor == 'dependabot[bot]'
runs-on: ubuntu-latest
steps:
- uses: hmarr/auto-approve-action@v2
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
The GITHUB_TOKEN
secret is the default actions token.
But I'm getting the following output:
Run hmarr/auto-approve-action@v2
with:
github-token: ***
Creating approving review for pull request #51
Error: Resource not accessible by integration. In some cases, the GitHub token used for actions triggered from `pull_request` events are read-only, which can cause this problem. Switching to the `pull_request_target` event typically resolves this issue.
I seem to remember this working before. Not sure what has changed. Any ideas?
I'm wondering if the above is possible using the action you've developed?
Removed
Hello,
I have a use case in which PRs are auto-approved when changes are made to files located in some repo path. However, users could push new commits that contain changes to files outside of the auto-approved file path. At that point, it'd be amazing to dismiss the "stale" review and not auto-approve anymore. Is this supported? If so, feel free to point me to docs, ofc!
Use of this action in its current form (and examples) puts users at risk of a race condition variant of pull request hijacking.
The way such an attack would work is this: As a user who has write access to a repo but is NOT supposed to be able to merge code on my own, I wait until an automated workflow creates a PR that will be auto-approved by this action. If I can push my own malicious commit onto the PR branch in the moment between when the PR is created and this action is run to approve the PR, the malicious commit will be approved.
Fortunately, there is a straightforward way to fix this! If you allow specifying the commit_id to be approved, even if a malicious commit is pushed onto the branch before the approval action fires, the approval won't allow merging the malicious commit because the approval will be non-current.
It would be used in a workflow like this:
- name: Create Pull Request
id: create-pull-request
uses: peter-evans/create-pull-request@v5
- name: Generate Token (Approver)
id: generate-approver-token
uses: tibdex/github-app-token@v1
if: ${{ steps.create-pull-request.outputs.pull-request-number }}
with:
app_id: ${{ secrets.APPROVER_APP_ID }}
private_key: ${{ secrets.APPROVER_APP_PRIVATE_KEY }}
- name: Approve Pull Request
uses: hmarr/auto-approve-action@v3
if: ${{ steps.generate-approver-token.outputs.token }}
with:
commit-id: ${{ steps.create-pull-request.outputs.pull-request-head-sha }}
github-token: ${{ steps.generate-approver-token.outputs.token }}
pull-request-number: ${{ steps.create-pull-request.outputs.pull-request-number }}
While using this action with workflows, I receive the following error:
2019/08/12 19:50:43 parsing time ""6/11/2019 1:51:07 PM"" as ""2006-01-02T15:04:05Z07:00"": cannot parse "/2019 1:51:07 PM"" as "2006"
What should this error means?
After making a change to an approved path, every subsequent commit triggers a new approval. The logs say it is looking for existing reviews, but seems to not find the last one.
Logs from the second run:
Fetching user, pull request information, and existing reviews
Current user is github-actions[bot]
Commit SHA is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Pull request #123 has not been approved yet, creating approving review
Approved pull request #123
workflow config:
name: Auto approval
on:
pull_request:
branches:
- main
paths:
- 'some-dir/**'
jobs:
auto-approve:
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- uses: hmarr/auto-approve-action@v3
with:
review-message: "Automatic approval of ..."
Perhaps there's a missing permission that is preventing it from fetching existing reviews?
Hi,
When using this role, it leads to a syntax error. I don't know what I did wrong though.
workflow "Auto Approve" {
on = "pull_request"
resolves = ["hmarr/auto-approve-action"]
}
action "Filters for GitHub Actions" {
uses = "actions/bin/filter@3c0b4f0e63ea54ea5df2914b4fabf383368cd0da"
args = "actor dependabot[bot]"
}
action "hmarr/auto-approve-action" {
uses = "hmarr/auto-approve-action"
needs = ["Filters for GitHub Actions"]
secrets = ["GITHUB_TOKEN"]
}
Error is the following:
Parse error
Line 12: The `uses' attribute must be a path, a Docker image, or owner/repo@ref
You need to edit:
uses = "hmarr/auto-approve-action"
to
uses = "hmarr/auto-approve-action@master"
(if you want to use the master branch)
Hi,
The github action fails somestimes for no reason with value:
### ERRORED 13:47:41Z
- GITHUB_TOKEN secret does not exist
I added the action, then updated a PR, then saw the action run. However, while the action succeeded, no approval was added to the PR. Am I doing something wrong? I saw the "Run hmarr/auto-approve-action" is a grey circle rather than a green checkmark-- did it fail to actually run? Here is the PR.
Dependabot couldn't find a go.mod for this project.
Dependabot requires a go.mod to evaluate your project's current Go dependencies. It had expected to find one at the path: /go.mod
.
If this isn't a Go project, or if it is a library, you may wish to disable updates for it from within Dependabot.
You can mention @dependabot in the comments below to contact the Dependabot team.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.