https://github.com/csm-actions/approve-pr-action
GitHub Action to approve pull requests securely
https://github.com/csm-actions/approve-pr-action
github-actions oss security
Last synced: about 1 year ago
JSON representation
GitHub Action to approve pull requests securely
- Host: GitHub
- URL: https://github.com/csm-actions/approve-pr-action
- Owner: csm-actions
- License: mit
- Created: 2025-05-04T06:02:03.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2025-05-05T07:10:38.000Z (about 1 year ago)
- Last Synced: 2025-05-05T07:44:42.433Z (about 1 year ago)
- Topics: github-actions, oss, security
- Homepage:
- Size: 181 KB
- Stars: 6
- Watchers: 0
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Awesome Lists containing this project
README
# Approve PR Action
[](https://raw.githubusercontent.com/csm-actions/approve-pr-action/main/LICENSE) | [Versioning Policy](https://github.com/suzuki-shunsuke/versioning-policy/blob/main/POLICY.md)
`Approve PR Action` is a set of GitHub Actions to approve pull requests securely by [the Client/Server Model](https://github.com/csm-actions/docs).
Approve PR Action allows you to approve pull requests by Machine Users securely without sharing Machine Users' Personal Access Tokens (PAT) across GitHub Actions workflows.
It elevates the security of your workflows to the next level.
## Features
- 💪 Approve pull requests to merge pull requests automatically
- 🛡 Secure
- You don't need to pass PAT of machine users to GitHub Actions workflows on the client side
- 😊 Easy to use
- You don't need to host a server application
- 😉 [OSS (MIT License)](LICENSE)
## Overview
It would be convenient to automatically merge pull requests created by apps like Renovate.
Manually reviewing and merging all of them can be time-consuming and labor-intensive.
Tedious reviews can sometimes become mere formalities.
This can lead to delayed updates and potentially troublesome issues.
Of course, automatic merging comes with its own risks, but if the benefits of automation outweigh those risks, it’s a good idea to automatically merge at least some updates—excluding major updates, for example.
But if approvals from codeowners are required by Branch Rulesets, you need to approve pull requests automatically.
GitHub Apps can't be codeowners, so you need to approve pull requests using machine user's PAT.
But if the PAT is abused, people can approve any pull requests using it and merge them without pull request reviews.
It's so dangerous.
So you must protect machine user's PAT securely.
You shouldn't pass it to workflows widely.
This action allows you to protect PAT by [the Client/Server Model](https://github.com/csm-actions/docs).
This action intends to approve only pull requests created by reliable Apps automatically.
This action doesn't approve pull requests unless they don't meet the following conditions:
1. All commits are linked to GitHub Users
1. All commits are signed
1. All committers or authors are allowed in the input `allowed_committers` (By default, `allowed_committers` are `renovate[bot]` and `dependabot[bot]`)
## How To Set Up
- Create a server repository
- Create a server GitHub App:
- Required Permissions: `pull_requests:read` and `contents:read` To validate pull requests
- Installed Repositories: client and server repositories
- Create a fine-grained PAT of a machine user
- Required Permissions:
- `pull_requests:write`: To approve pull requests
- Repositories: client repositories
- [Allow the server workflow to access the PAT securely](https://github.com/csm-actions/docs?tab=readme-ov-file#secret-management)
- Create the server workflow: [Example](https://github.com/csm-actions/demo-server/blob/main/.github/workflows/approve.yaml)
- Create a client GitHub App:
- Required Permissions: `issues:write` To create GitHub Issue labels
- Installed Repositories: client and server repositories
- Run the client action in client workflows: [Example](https://github.com/csm-actions/demo-client/blob/c46ce73ffdaa83af182d733a382d5dc051d3b994/.github/workflows/approve.yaml#L11-L20)
## Actions
Approve PR Action composes of following actions:
- [csm-actions/approve-pr-action](action.yaml): Client action
- [csm-actions/approve-pr-action/server](server/action.yaml): Server action