Skip to content

ci: add renovate auto-approve workflow#103

Merged
jimisola merged 1 commit intomainfrom
ci/add-renovate-approve-workflow
Mar 7, 2026
Merged

ci: add renovate auto-approve workflow#103
jimisola merged 1 commit intomainfrom
ci/add-renovate-approve-workflow

Conversation

@jimisola
Copy link
Member

@jimisola jimisola commented Mar 7, 2026

Summary

  • Add caller workflow for the centralised Renovate auto-approve reusable workflow in reqstool/.github
  • When Renovate opens a PR, this workflow approves it using `GITHUB_TOKEN`, satisfying the required-review branch protection rule
  • Unblocks Renovate's existing auto-merge setting so PRs merge automatically once checks pass

🤖 Generated with Claude Code

ci: add renovate auto-approve workflow
6117fa6 
Calls the centralised reusable workflow in reqstool/.github to
auto-approve Renovate PRs, satisfying the required-review branch
protection rule and unblocking Renovate's auto-merge.

Signed-off-by: jimisola <jimisola@jimisola.com>
@jimisola jimisola self-assigned this Mar 7, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 7, 2026
View reviewed changes
.github/workflows/renovate-approve.yml

jobs:
approve:
uses: reqstool/.github/.github/workflows/renovate-approve.yml@main

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 13 days ago

To fix the issue, add an explicit permissions block that grants the least privileges needed for this workflow. Since this workflow simply triggers a reusable workflow on pull_request events and does not itself perform any repository modifications, a safe and minimal default is to restrict GITHUB_TOKEN to read-only access to repository contents.

The best targeted fix without changing existing functionality is to add a top-level permissions: section (applies to all jobs) or a job-level permissions: under jobs.approve. Both satisfy CodeQL; using a top-level block is clearer and future-proof if additional jobs are added. We’ll add:

permissions:
  contents: read

between the on: block and the jobs: block in .github/workflows/renovate-approve.yml. This documents that the workflow only needs read access to repository contents and ensures the token is not granted unnecessary write privileges. No imports or additional definitions are required.

Suggested changeset 1
.github/workflows/renovate-approve.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/renovate-approve.yml b/.github/workflows/renovate-approve.yml
--- a/.github/workflows/renovate-approve.yml
+++ b/.github/workflows/renovate-approve.yml
@@ -6,6 +6,9 @@
       - opened
       - reopened
 
+permissions:
+  contents: read
+
 jobs:
   approve:
     uses: reqstool/.github/.github/workflows/renovate-approve.yml@main
EOF
@@ -6,6 +6,9 @@
- opened
- reopened

permissions:
contents: read

jobs:
approve:
uses: reqstool/.github/.github/workflows/renovate-approve.yml@main
Copilot is powered by AI and may make mistakes. Always verify output.
@jimisola jimisola merged commit d15953e into main Mar 7, 2026
6 checks passed
@jimisola jimisola deleted the ci/add-renovate-approve-workflow branch March 7, 2026 18:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jimisola jimisola

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jimisola