fix(ci): handle GITHUB_TOKEN self-approval limitation for bot PRs

CybotTM · CybotTM · commit a923b8f1cd67 · 2026-02-16T13:47:16.000+01:00
- pr-quality.yml: detect bot authors and use APPROVE_TOKEN (PAT) to
  approve their PRs; GITHUB_TOKEN can't approve PRs created by
  github-actions[bot] since they share the same identity
- auto-merge-deps.yml: skip approve step for github-actions[bot] PRs
  (would always fail with "Can not approve your own pull request")
diff --git a/.github/workflows/auto-merge-deps.yml b/.github/workflows/auto-merge-deps.yml
@@ -42,6 +42,10 @@ jobs:
                   github-token: ${{ secrets.GITHUB_TOKEN }}
 
             - name: Auto-approve PR
+              # Skip for github-actions[bot] -- GITHUB_TOKEN can't approve
+              # its own PRs. release-please PRs need approval from pr-quality.yml
+              # using APPROVE_TOKEN, or manual approval.
+              if: github.event.pull_request.user.login != 'github-actions[bot]'
               env:
                   PR_URL: ${{ github.event.pull_request.html_url }}
                   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pr-quality.yml b/.github/workflows/pr-quality.yml
@@ -1,6 +1,10 @@
-# Solo-maintainer auto-approve: approves PRs from repo collaborators
-# so that required_approving_review_count >= 1 (OpenSSF Scorecard) is
-# satisfied without manual review for trusted authors.
+# Solo-maintainer auto-approve: approves PRs from repo collaborators and
+# trusted bots so that required_approving_review_count >= 1 is satisfied
+# without manual review.
+#
+# For bot PRs (github-actions[bot]), GITHUB_TOKEN can't self-approve.
+# Set an APPROVE_TOKEN secret (PAT with repo scope) to approve bot PRs.
+# Without APPROVE_TOKEN, bot PRs require manual approval.
 #
 # SECURITY: This workflow uses pull_request_target which runs with base branch
 # permissions. NEVER add an actions/checkout step here.
@@ -32,12 +36,24 @@ jobs:
                   PR_AUTHOR: ${{ github.event.pull_request.user.login }}
                   REPO: ${{ github.repository }}
               run: |
+                  # Bots are trusted if they match known bot accounts
+                  if [[ "$PR_AUTHOR" == "dependabot[bot]" || "$PR_AUTHOR" == "renovate[bot]" || "$PR_AUTHOR" == "github-actions[bot]" ]]; then
+                    echo "permission=bot" >> "$GITHUB_OUTPUT"
+                    exit 0
+                  fi
                   PERMISSION=$(gh api "repos/$REPO/collaborators/$PR_AUTHOR/permission" --jq '.permission' 2>/dev/null || echo "none")
                   echo "permission=$PERMISSION" >> "$GITHUB_OUTPUT"
 
-            - name: Auto-approve PR
+            - name: Auto-approve (collaborator)
               if: steps.check-permission.outputs.permission == 'admin' || steps.check-permission.outputs.permission == 'write'
               env:
                   PR_URL: ${{ github.event.pull_request.html_url }}
                   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
               run: gh pr review --approve "$PR_URL"
+
+            - name: Auto-approve (bot via APPROVE_TOKEN)
+              if: steps.check-permission.outputs.permission == 'bot' && secrets.APPROVE_TOKEN != ''
+              env:
+                  PR_URL: ${{ github.event.pull_request.html_url }}
+                  GH_TOKEN: ${{ secrets.APPROVE_TOKEN }}
+              run: gh pr review --approve "$PR_URL"
