Skip to content

ci: add renovate auto-approve workflow#77

Merged
jimisola merged 1 commit intomainfrom
ci/add-renovate-approve-workflow
Mar 7, 2026
Merged

ci: add renovate auto-approve workflow#77
jimisola merged 1 commit intomainfrom
ci/add-renovate-approve-workflow

Conversation

@jimisola
Copy link
Member

@jimisola jimisola commented Mar 7, 2026

Summary

  • Add caller workflow for the centralised Renovate auto-approve reusable workflow in reqstool/.github
  • When Renovate opens a PR, this workflow approves it using `GITHUB_TOKEN`, satisfying the required-review branch protection rule
  • Unblocks Renovate's existing auto-merge setting so PRs merge automatically once checks pass

🤖 Generated with Claude Code

ci: add renovate auto-approve workflow
1dc3522 
Calls the centralised reusable workflow in reqstool/.github to
auto-approve Renovate PRs, satisfying the required-review branch
protection rule and unblocking Renovate's auto-merge.

Signed-off-by: jimisola <jimisola@jimisola.com>
@jimisola jimisola self-assigned this Mar 7, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 7, 2026
View reviewed changes
.github/workflows/renovate-approve.yml

jobs:
approve:
uses: reqstool/.github/.github/workflows/renovate-approve.yml@main

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 12 days ago

In general, the fix is to explicitly define a permissions: block either at the workflow root (applies to all jobs) or inside the specific job. Since this workflow only defines a single job (approve) that simply calls a reusable workflow, the cleanest approach is to add a root-level permissions: section that grants only read access to repository contents, which is usually sufficient for Renovate approval logic driven by another workflow. If the reusable workflow needs additional scopes, they can be added there; here we keep the caller minimal.

Concretely, in .github/workflows/renovate-approve.yml, insert a permissions: block after the name: line and before on:. Use a minimal least-privilege setting such as:

permissions:
  contents: read

This ensures the GITHUB_TOKEN used by this workflow is explicitly limited and no longer depends on potentially broad repository defaults. No imports or additional methods are needed; only the YAML structure changes.

Suggested changeset 1
.github/workflows/renovate-approve.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/renovate-approve.yml b/.github/workflows/renovate-approve.yml
--- a/.github/workflows/renovate-approve.yml
+++ b/.github/workflows/renovate-approve.yml
@@ -1,5 +1,8 @@
 name: Renovate auto-approve
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     types:
EOF
@@ -1,5 +1,8 @@
name: Renovate auto-approve

permissions:
contents: read

on:
pull_request:
types:
Copilot is powered by AI and may make mistakes. Always verify output.
@jimisola jimisola merged commit 7138e83 into main Mar 7, 2026
6 checks passed
@jimisola jimisola deleted the ci/add-renovate-approve-workflow branch March 7, 2026 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jimisola jimisola

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jimisola