Auto-approve Trusted External PR Workflows #3189
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Auto-approve Trusted External PR Workflows | |
| on: | |
| schedule: | |
| # Runs every 5 minutes | |
| - cron: "*/5 * * * *" | |
| workflow_dispatch: # Allow manual triggering | |
| pull_request_target: | |
| types: [synchronize, opened, labeled, reopened] | |
| permissions: | |
| actions: write | |
| pull-requests: read | |
| contents: read | |
| jobs: | |
| auto-approve-workflows: | |
| if: github.repository == 'tensorzero/tensorzero' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Auto-approve workflow runs for trusted external PRs | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| echo "Checking for trusted external PRs..." | |
| # Get all open PRs with the 'trusted-external-pr' label | |
| prs=$(gh pr list --repo ${{ github.repository }} --state open --label "trusted-external-pr" --json number,headRefName,headRefOid,author --jq '.[] | "\(.number)|\(.headRefName)|\(.headRefOid)|\(.author.login)"') | |
| if [ -z "$prs" ]; then | |
| echo "No open PRs with 'trusted-external-pr' label found." | |
| exit 0 | |
| fi | |
| echo "Found PRs with 'trusted-external-pr' label:" | |
| echo "$prs" | |
| # Process each PR | |
| while IFS='|' read -r pr_number head_ref head_sha author; do | |
| echo "" | |
| echo "Processing PR #$pr_number (branch: $head_ref, HEAD: $head_sha, author: $author)" | |
| # Get the most recent workflow run for this PR's HEAD commit that is awaiting approval | |
| # We look for workflow runs on the head ref and head SHA that have the 'action_required' status | |
| # Sort by created_at descending and take only the first (most recent) one | |
| run_id=$(HEAD_REF="$head_ref" HEAD_SHA="$head_sha" gh api \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| "/repos/${{ github.repository }}/actions/runs?event=pull_request&status=action_required&per_page=100" \ | |
| --jq '[.workflow_runs[] | select(.head_branch == env.HEAD_REF and .head_sha == env.HEAD_SHA)] | sort_by(.created_at) | reverse | .[0].id') | |
| if [ -z "$run_id" ] || [ "$run_id" = "null" ]; then | |
| echo " No workflow runs awaiting approval for PR #$pr_number HEAD commit" | |
| continue | |
| fi | |
| echo " Approving workflow run $run_id for PR #$pr_number HEAD commit ($head_sha)..." | |
| # Approve the workflow run | |
| response=$(gh api \ | |
| --method POST \ | |
| -H "Accept: application/vnd.github+json" \ | |
| -H "X-GitHub-Api-Version: 2022-11-28" \ | |
| "/repos/${{ github.repository }}/actions/runs/$run_id/approve" 2>&1) | |
| if [ $? -eq 0 ]; then | |
| echo " ✓ Successfully approved workflow run $run_id" | |
| else | |
| # Check if it's already approved or doesn't need approval | |
| if echo "$response" | grep -q "Cannot approve a workflow run that is not awaiting approval"; then | |
| echo " ℹ Workflow run $run_id is already approved or doesn't need approval" | |
| else | |
| echo " ✗ Failed to approve workflow run $run_id: $response" | |
| fi | |
| fi | |
| done <<< "$prs" | |
| echo "" | |
| echo "Finished processing trusted external PRs" |