Merge pull request #456 from 1Password/mrj/452/flake-ci-updates

mrjones2014 · web-flow · commit 3fae904cc627 · 2024-04-19T11:54:19.000-04:00
chore(ci): Auto-add one approval to automated flake.lock PRs
diff --git a/.github/workflows/approve-flake-lock-prs.yml b/.github/workflows/approve-flake-lock-prs.yml
@@ -0,0 +1,27 @@
+# This job applies one approval automatically to the automated `flake.lock` PRs
+# This helps us keep up with the weekly automated PRs, but still requires at least 1
+# human manual approval.
+name: Approve flake.lock PRs (still require 1 human approval)
+permissions:
+  pull-requests: write
+on:
+  pull_request_target:
+    paths:
+      - 'flake.lock' # only run if flake.lock has changed
+jobs:
+  approve-flake-lock-prs:
+    runs-on: ubuntu-latest
+    if: github.actor == 'github-actions[bot]' && github.event.pull_request.labels.*.name == 'flake.lock automation'
+    steps:
+      - uses: actions/checkout@v4
+      - name: Approve flake.lock PRs (still requires 1 human approval)
+        run: |
+          # only run if only exactly 1 file is changed;
+          # this combined with the `paths:` filter on the job itself
+          # ensures that the PR changes ONLY flake.lock and no other files
+          if [[ "$(git diff --name-only HEAD..origin/main | wc -l)" = 1 ]]; then
+            gh pr review --approve "$PR_URL"
+          end
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/update-flake-dependencies.yml b/.github/workflows/update-flake-dependencies.yml
@@ -33,5 +33,10 @@ jobs:
               --field content=@<(base64 -i $FILE_TO_COMMIT) \
               --field branch="$COMMIT_BRANCH" \
               --field sha="$(git rev-parse $COMMIT_BRANCH:$FILE_TO_COMMIT)"
-            gh pr create --title "[automation]: Update Flake dependencies" --body "This is an automated PR to update \`flake.lock\`" --reviewer mrjones2014 --reviewer AndyTitu --base main --head $COMMIT_BRANCH
+            gh pr create --title "[automation]: Update Flake dependencies" \
+              --body "This is an automated PR to update \`flake.lock\`" \
+              --label "flake.lock automation" \
+              --reviewer mrjones2014 \
+              --reviewer AndyTitu \
+              --base main --head $COMMIT_BRANCH
           fi
