Skip to content

ci: add renovate auto-approve workflow #146

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jimisola merged 1 commit into from
Mar 7, 2026
Merged

ci: add renovate auto-approve workflow #146

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .github/workflows/renovate-approve.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
name: Renovate auto-approve

on:
pull_request:
types:
- opened
- reopened

jobs:
approve:
uses: reqstool/.github/.github/workflows/renovate-approve.yml@main

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 13 days ago

In general, this issue is fixed by explicitly declaring a permissions block in the workflow (either at the root or per‑job) that grants only the minimal scopes the workflow needs. This overrides potentially broad repository defaults and documents the workflow’s required privileges.

For this specific workflow, we should add a root‑level permissions block between the name and on keys, because there is only one job and it delegates to a reusable workflow. A safe, minimal starting point that aligns with GitHub’s guidance is contents: read, which is equivalent to read‑only repository access. If the reusable workflow requires additional scopes (for example, to approve or update pull requests), those would typically be pull-requests: write. However, we are not allowed to assume additional behavior beyond the snippet, so we will start with the minimal explicit restriction: permissions: contents: read. This keeps existing behavior in nearly all cases where the reusable workflow only needs read access, while constraining the token compared to legacy defaults. The change is localized to .github/workflows/renovate-approve.yml, and no new imports or methods are required.

Concretely:

  • Edit .github/workflows/renovate-approve.yml.
  • Insert a permissions: block after line 1 (the name: line) and before the on: block.
  • Set contents: read in that block.
    No other lines in the file need to change.
Suggested changeset 1
.github/workflows/renovate-approve.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/renovate-approve.yml b/.github/workflows/renovate-approve.yml
--- a/.github/workflows/renovate-approve.yml
+++ b/.github/workflows/renovate-approve.yml
@@ -1,4 +1,6 @@
 name: Renovate auto-approve
+permissions:
+  contents: read
 
 on:
   pull_request:
EOF
@@ -1,4 +1,6 @@
name: Renovate auto-approve
permissions:
contents: read

on:
pull_request:
Copilot is powered by AI and may make mistakes. Always verify output.