Approve PR Action is a set of GitHub Actions to approve pull requests securely by the Client/Server Model.
Approve PR Action allows you to approve pull requests by Machine Users securely without sharing Machine Users' Personal Access Tokens (PAT) across GitHub Actions workflows. It elevates the security of your workflows to the next level.
- 💪 Approve pull requests to merge pull requests automatically
- 🛡 Secure
- You don't need to pass PAT of machine users to GitHub Actions workflows on the client side
- 😊 Easy to use
- You don't need to host a server application
- 😉 OSS (MIT License)
It would be convenient to automatically merge pull requests created by apps like Renovate. Manually reviewing and merging all of them can be time-consuming and labor-intensive. Tedious reviews can sometimes become mere formalities. This can lead to delayed updates and potentially troublesome issues.
Of course, automatic merging comes with its own risks, but if the benefits of automation outweigh those risks, it’s a good idea to automatically merge at least some updates—excluding major updates, for example.
But if approvals from codeowners are required by Branch Rulesets, you need to approve pull requests automatically. GitHub Apps can't be codeowners, so you need to approve pull requests using machine user's PAT. But if the PAT is abused, people can approve any pull requests using it and merge them without pull request reviews. It's so dangerous. So you must protect machine user's PAT securely. You shouldn't pass it to workflows widely.
This action allows you to protect PAT by the Client/Server Model.
This action intends to approve only pull requests created by reliable Apps automatically. This action doesn't approve pull requests unless they don't meet the following conditions:
- All commits are linked to GitHub Users
- All commits are signed
- All committers or authors are allowed in the input
allowed_committers(By default,allowed_committersarerenovate[bot]anddependabot[bot])
- Create a server repository
- Create a server GitHub App:
- Required Permissions:
pull_requests:readandcontents:readTo validate pull requests - Installed Repositories: client and server repositories
- Required Permissions:
- Create a fine-grained PAT of a machine user
- Required Permissions:
pull_requests:write: To approve pull requests
- Repositories: client repositories
- Required Permissions:
- Allow the server workflow to access the PAT securely
- Create the server workflow: Example
- Create a client GitHub App:
- Required Permissions:
issues:writeTo create GitHub Issue labels - Installed Repositories: client and server repositories
- Required Permissions:
- Run the client action in client workflows: Example
Approve PR Action composes of following actions:
- csm-actions/approve-pr-action: Client action
- csm-actions/approve-pr-action/server: Server action