fix: run only if ONLY flake.lock is changed

Author: mrjones2014

.github/workflows/approve-flake-lock-prs.yml

@@ -4,13 +4,23 @@
 name: Approve flake.lock PRs (still require 1 human approval)
 permissions:
   pull-requests: write
+on:
+  pull_request_target:
+    paths:
+      - 'flake.lock' # only run if flake.lock has changed
 jobs:
   approve-flake-lock-prs:
     runs-on: ubuntu-latest
     if: github.actor == 'github-actions[bot]' && github.event.pull_request.labels.*.name == 'flake.lock automation'
     steps:
       - name: Approve flake.lock PRs (still requires 1 human approval)
-        run: gh pr review --approve "$PR_URL"
+        run: |
+          # only run if only exactly 1 file is changed;
+          # this combined with the `paths:` filter on the job itself
+          # ensures that the PR changes ONLY flake.lock and no other files
+          if [[ "$(git diff --name-only HEAD..origin/main | wc -l)" = 1 ]]; then
+            gh pr review --approve "$PR_URL"
+          end
         env:
           PR_URL: ${{github.event.pull_request.html_url}}
           GH_TOKEN: ${{secrets.GITHUB_TOKEN}}