Skip to content

ci: add renovate auto-approve workflow#142

Merged
jimisola merged 1 commit intomainfrom
ci/add-renovate-approve-workflow
Mar 7, 2026
Merged

ci: add renovate auto-approve workflow#142
jimisola merged 1 commit intomainfrom
ci/add-renovate-approve-workflow

Conversation

@jimisola
Copy link
Copy Markdown
Member

@jimisola jimisola commented Mar 7, 2026

Summary

  • Add caller workflow for the centralised Renovate auto-approve reusable workflow in reqstool/.github
  • When Renovate opens a PR, this workflow approves it using `GITHUB_TOKEN`, satisfying the required-review branch protection rule
  • Unblocks Renovate's existing auto-merge setting so PRs merge automatically once checks pass

🤖 Generated with Claude Code

ci: add renovate auto-approve workflow
c5befbf 
Calls the centralised reusable workflow in reqstool/.github to
auto-approve Renovate PRs, satisfying the required-review branch
protection rule and unblocking Renovate's auto-merge.

Signed-off-by: jimisola <jimisola@jimisola.com>
@jimisola jimisola self-assigned this Mar 7, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 7, 2026
View reviewed changes
.github/workflows/renovate-approve.yml

jobs:
approve:
uses: reqstool/.github/.github/workflows/renovate-approve.yml@main

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI about 1 month ago

To fix the problem, add an explicit permissions block to the workflow so that the GITHUB_TOKEN is limited to the least privilege required. Since we do not see any specific operations being performed in this file (it only calls a reusable workflow), the safest generic baseline is to set all permissions to read-only (or fully disable them with permissions: {}) unless we know that Renovate auto-approval needs to write to pull requests. Auto-approving a PR usually requires pull-requests: write, and possibly contents: read to access commit/PR data.

The best minimal change without altering existing behavior is to define permissions at the workflow root so they apply to all jobs (there is only approve here). For a Renovate auto-approve workflow, a reasonable least-privilege set is:

  • contents: read – allow reading repo contents/metadata.
  • pull-requests: write – allow approving PRs.

Concretely, in .github/workflows/renovate-approve.yml, add a permissions: block between the name: and on: keys, e.g. starting at a new line after line 1. No imports or additional definitions are needed; this is just YAML configuration.

Suggested changeset 1
.github/workflows/renovate-approve.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/renovate-approve.yml b/.github/workflows/renovate-approve.yml
--- a/.github/workflows/renovate-approve.yml
+++ b/.github/workflows/renovate-approve.yml
@@ -1,5 +1,9 @@
 name: Renovate auto-approve
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   pull_request:
     types:
EOF
@@ -1,5 +1,9 @@
name: Renovate auto-approve

permissions:
contents: read
pull-requests: write

on:
pull_request:
types:
Copilot is powered by AI and may make mistakes. Always verify output.
@jimisola jimisola merged commit 9c9d698 into main Mar 7, 2026
7 checks passed
@jimisola jimisola deleted the ci/add-renovate-approve-workflow branch March 7, 2026 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jimisola jimisola

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jimisola @github-advanced-security