os/.github/workflows/approve-from-label.yaml at b778e385500b01d6cf976bf1b5c8bda6bab239c0 · wolfi-dev/os · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
name: Approve PR from approver-bot

on:
  pull_request:
    types:
      - labeled

permissions: {}

jobs:
  approve:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    if: github.event.label.name == 'approver-bot/approve'
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: audit
      - name: Checkout repository
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      - name: Review PR
        run: |
          curl \
            -o review_output.json \
            -X POST \
            -H "Accept: application/vnd.github+json" \
            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
              https://api.github.com/repos/"${{ github.repository }}"/pulls/"${{ github.event.pull_request.number}}"/reviews
      - name: Approve PR
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh api \
            --method POST \
            -H "Accept: application/vnd.github+json" \
              /repos/"${{ github.repository }}"/pulls/"${{ github.event.pull_request.number}}"/reviews/"$(jq -r '.id' review_output.json)"/events \
            -f event='APPROVE'