Skip to content

Auto-approve Trusted External PR Workflows #3189

Auto-approve Trusted External PR Workflows

Auto-approve Trusted External PR Workflows #3189

name: Auto-approve Trusted External PR Workflows
on:
schedule:
# Runs every 5 minutes
- cron: "*/5 * * * *"
workflow_dispatch: # Allow manual triggering
pull_request_target:
types: [synchronize, opened, labeled, reopened]
permissions:
actions: write
pull-requests: read
contents: read
jobs:
auto-approve-workflows:
if: github.repository == 'tensorzero/tensorzero'
runs-on: ubuntu-latest
steps:
- name: Auto-approve workflow runs for trusted external PRs
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "Checking for trusted external PRs..."
# Get all open PRs with the 'trusted-external-pr' label
prs=$(gh pr list --repo ${{ github.repository }} --state open --label "trusted-external-pr" --json number,headRefName,headRefOid,author --jq '.[] | "\(.number)|\(.headRefName)|\(.headRefOid)|\(.author.login)"')
if [ -z "$prs" ]; then
echo "No open PRs with 'trusted-external-pr' label found."
exit 0
fi
echo "Found PRs with 'trusted-external-pr' label:"
echo "$prs"
# Process each PR
while IFS='|' read -r pr_number head_ref head_sha author; do
echo ""
echo "Processing PR #$pr_number (branch: $head_ref, HEAD: $head_sha, author: $author)"
# Get the most recent workflow run for this PR's HEAD commit that is awaiting approval
# We look for workflow runs on the head ref and head SHA that have the 'action_required' status
# Sort by created_at descending and take only the first (most recent) one
run_id=$(HEAD_REF="$head_ref" HEAD_SHA="$head_sha" gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/${{ github.repository }}/actions/runs?event=pull_request&status=action_required&per_page=100" \
--jq '[.workflow_runs[] | select(.head_branch == env.HEAD_REF and .head_sha == env.HEAD_SHA)] | sort_by(.created_at) | reverse | .[0].id')
if [ -z "$run_id" ] || [ "$run_id" = "null" ]; then
echo " No workflow runs awaiting approval for PR #$pr_number HEAD commit"
continue
fi
echo " Approving workflow run $run_id for PR #$pr_number HEAD commit ($head_sha)..."
# Approve the workflow run
response=$(gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/repos/${{ github.repository }}/actions/runs/$run_id/approve" 2>&1)
if [ $? -eq 0 ]; then
echo " ✓ Successfully approved workflow run $run_id"
else
# Check if it's already approved or doesn't need approval
if echo "$response" | grep -q "Cannot approve a workflow run that is not awaiting approval"; then
echo " ℹ Workflow run $run_id is already approved or doesn't need approval"
else
echo " ✗ Failed to approve workflow run $run_id: $response"
fi
fi
done <<< "$prs"
echo ""
echo "Finished processing trusted external PRs"