{"id":28092697,"url":"https://github.com/csm-actions/approve-pr-action","last_synced_at":"2025-05-13T13:36:28.941Z","repository":{"id":291365912,"uuid":"977404258","full_name":"csm-actions/approve-pr-action","owner":"csm-actions","description":"GitHub Action to approve pull requests securely","archived":false,"fork":false,"pushed_at":"2025-05-05T07:10:38.000Z","size":185,"stargazers_count":6,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-05-05T07:44:42.433Z","etag":null,"topics":["github-actions","oss","security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/csm-actions.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["suzuki-shunsuke"]}},"created_at":"2025-05-04T06:02:03.000Z","updated_at":"2025-05-05T07:31:58.000Z","dependencies_parsed_at":"2025-05-05T07:44:45.315Z","dependency_job_id":null,"html_url":"https://github.com/csm-actions/approve-pr-action","commit_stats":null,"previous_names":["securefix-action/pr-approve-action","securefix-action/approve-pr-action","csm-actions/approve-pr-action"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csm-actions%2Fapprove-pr-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csm-actions%2Fapprove-pr-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csm-actions%2Fapprove-pr-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/csm-actions%2Fapprove-pr-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/csm-actions","download_url":"https://codeload.github.com/csm-actions/approve-pr-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253950920,"owners_count":21989434,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","oss","security"],"created_at":"2025-05-13T13:36:27.849Z","updated_at":"2025-05-13T13:36:28.923Z","avatar_url":"https://github.com/csm-actions.png","language":null,"funding_links":["https://github.com/sponsors/suzuki-shunsuke"],"categories":[],"sub_categories":[],"readme":"# Approve PR Action\n\n[![License](http://img.shields.io/badge/license-mit-blue.svg?style=flat-square)](https://raw.githubusercontent.com/csm-actions/approve-pr-action/main/LICENSE) | [Versioning Policy](https://github.com/suzuki-shunsuke/versioning-policy/blob/main/POLICY.md)\n\n`Approve PR Action` is a set of GitHub Actions to approve pull requests securely by [the Client/Server Model](https://github.com/csm-actions/docs).\n\nApprove PR Action allows you to approve pull requests by Machine Users securely without sharing Machine Users' Personal Access Tokens (PAT) across GitHub Actions workflows.\nIt elevates the security of your workflows to the next level.\n\n## Features\n\n- 💪 Approve pull requests to merge pull requests automatically\n- 🛡 Secure\n  - You don't need to pass PAT of machine users to GitHub Actions workflows on the client side\n- 😊 Easy to use\n  - You don't need to host a server application\n- 😉 [OSS (MIT License)](LICENSE)\n\n## Overview\n\nIt would be convenient to automatically merge pull requests created by apps like Renovate.\nManually reviewing and merging all of them can be time-consuming and labor-intensive.\nTedious reviews can sometimes become mere formalities.\nThis can lead to delayed updates and potentially troublesome issues.\n\nOf course, automatic merging comes with its own risks, but if the benefits of automation outweigh those risks, it’s a good idea to automatically merge at least some updates—excluding major updates, for example.\n\nBut if approvals from codeowners are required by Branch Rulesets, you need to approve pull requests automatically.\nGitHub Apps can't be codeowners, so you need to approve pull requests using machine user's PAT.\nBut if the PAT is abused, people can approve any pull requests using it and merge them without pull request reviews.\nIt's so dangerous.\nSo you must protect machine user's PAT securely.\nYou shouldn't pass it to workflows widely.\n\nThis action allows you to protect PAT by [the Client/Server Model](https://github.com/csm-actions/docs).\n\nThis action intends to approve only pull requests created by reliable Apps automatically.\nThis action doesn't approve pull requests unless they don't meet the following conditions:\n\n1. All commits are linked to GitHub Users\n1. All commits are signed\n1. All committers or authors are allowed in the input `allowed_committers` (By default, `allowed_committers` are `renovate[bot]` and `dependabot[bot]`)\n\n## How To Set Up\n\n- Create a server repository\n- Create a server GitHub App:\n  - Required Permissions: `pull_requests:read` and `contents:read` To validate pull requests\n  - Installed Repositories: client and server repositories\n- Create a fine-grained PAT of a machine user\n  - Required Permissions:\n    - `pull_requests:write`: To approve pull requests\n  - Repositories: client repositories\n- [Allow the server workflow to access the PAT securely](https://github.com/csm-actions/docs?tab=readme-ov-file#secret-management)\n- Create the server workflow: [Example](https://github.com/csm-actions/demo-server/blob/main/.github/workflows/approve.yaml)\n- Create a client GitHub App:\n  - Required Permissions: `issues:write` To create GitHub Issue labels\n  - Installed Repositories: client and server repositories\n- Run the client action in client workflows: [Example](https://github.com/csm-actions/demo-client/blob/c46ce73ffdaa83af182d733a382d5dc051d3b994/.github/workflows/approve.yaml#L11-L20)\n\n## Actions\n\nApprove PR Action composes of following actions:\n\n- [csm-actions/approve-pr-action](action.yaml): Client action\n- [csm-actions/approve-pr-action/server](server/action.yaml): Server action\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcsm-actions%2Fapprove-pr-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcsm-actions%2Fapprove-pr-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcsm-actions%2Fapprove-pr-action/lists"}