node-magento-eqp/.github/workflows/pr-quality.yml at e7b8fee8b35e37a5b4f9873d54d9d76023df39c5 · netresearch/node-magento-eqp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# Solo-maintainer auto-approve: approves PRs from repo collaborators and
# trusted bots so that required_approving_review_count >= 1 is satisfied
# without manual review.
#
# For bot PRs (github-actions[bot]), GITHUB_TOKEN can't self-approve.
# Set an APPROVE_TOKEN secret (PAT with repo scope) to approve bot PRs.
# Without APPROVE_TOKEN, bot PRs require manual approval.
#
# SECURITY: This workflow uses pull_request_target which runs with base branch
# permissions. NEVER add an actions/checkout step here.

name: PR Quality Gates

on:
    pull_request_target:
        types: [opened, synchronize, reopened]

permissions:
    pull-requests: write

jobs:
    auto-approve:
        name: Auto-approve (collaborators)
        runs-on: ubuntu-24.04

        steps:
            - name: Harden Runner
              uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
              with:
                  egress-policy: audit

            - name: Check author permission
              id: check-permission
              env:
                  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
                  PR_AUTHOR: ${{ github.event.pull_request.user.login }}
                  REPO: ${{ github.repository }}
              run: |
                  # Bots are trusted if they match known bot accounts
                  if [[ "$PR_AUTHOR" == "dependabot[bot]" || "$PR_AUTHOR" == "renovate[bot]" || "$PR_AUTHOR" == "github-actions[bot]" ]]; then
                    echo "permission=bot" >> "$GITHUB_OUTPUT"
                    exit 0
                  fi
                  PERMISSION=$(gh api "repos/$REPO/collaborators/$PR_AUTHOR/permission" --jq '.permission' 2>/dev/null || echo "none")
                  echo "permission=$PERMISSION" >> "$GITHUB_OUTPUT"

            - name: Auto-approve (collaborator)
              if: steps.check-permission.outputs.permission == 'admin' || steps.check-permission.outputs.permission == 'write'
              env:
                  PR_URL: ${{ github.event.pull_request.html_url }}
                  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
              run: gh pr review --approve "$PR_URL"

            - name: Auto-approve (bot via APPROVE_TOKEN)
              if: steps.check-permission.outputs.permission == 'bot'
              env:
                  PR_URL: ${{ github.event.pull_request.html_url }}
                  GH_TOKEN: ${{ secrets.APPROVE_TOKEN || secrets.GITHUB_TOKEN }}
              run: gh pr review --approve "$PR_URL" || true