https://github.com/suzuki-shunsuke/deny-self-approve

CLI to deny self-approved GitHub Pull Requests
https://github.com/suzuki-shunsuke/deny-self-approve

cli oss security

Last synced: 14 days ago
JSON representation

CLI to deny self-approved GitHub Pull Requests

• Host: GitHub
• URL: https://github.com/suzuki-shunsuke/deny-self-approve
• Owner: suzuki-shunsuke
• License: mit
• Created: 2025-01-12T00:06:15.000Z (4 months ago)
• Default Branch: main
• Last Pushed: 2025-04-22T05:30:34.000Z (16 days ago)
• Last Synced: 2025-04-22T07:05:16.022Z (16 days ago)
• Topics: cli, oss, security
• Language: Go
• Homepage:
• Size: 308 KB
• Stars: 3
• Watchers: 1
• Forks: 0
• Open Issues: 6
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE

Awesome Lists containing this project

README

        
# deny-self-approve

[![License](http://img.shields.io/badge/license-mit-blue.svg?style=flat-square)](https://raw.githubusercontent.com/suzuki-shunsuke/deny-self-approve/main/LICENSE) | [Install](INSTALL.md) | [Usage](USAGE.md) | [GitHub Action](https://github.com/suzuki-shunsuke/deny-self-approve-action)

`deny-self-approve` is a CLI tool designed to validate self-approved GitHub Pull Requests.

```sh

deny-self-approve validate -r  -pr 

```

The command fails if a given pull request isn't approved by someone who isn't a committer of the pull request.

It requires a approval from non committer of the pull request.

The exception is that multiple people approve the pull request.

The goal of this tool is to prevent a single person from merging a pull request without approvals from others by self-approval.

If multiple people approve the pull request, the goal is met.

We assume it's run in CI.

The following GitHub Repository Branch Rulesets are useful to protect branches like default branches:

- `Require a pull request before merging`

  - `Dismiss stale pull request approvals when new commits are pushed`

  - `Require review from Code Owners`

  - `Require approval of the most recent reviewable push`

- `Require status checks to pass`

But even if you configure these rulesets properly, people can still bypass the restriction.

For instance, people can approve pull requests using GitHub Actions token, GitHub App, or Machine Users.

And people can also push commits to pull requests created by others (other users, GitHub Actions token, GitHub App, or Machine Users) and approve them.

This tool prevents such a threat.

## GitHub Actions

[We provide a GitHub Actions to prevent self-approvals easily.](https://github.com/suzuki-shunsuke/deny-self-approve-action)

## :warning: Commit not linked to a GitHub User

[Please see the document.](docs/001.md)

## Get a repository and pull request number from CI environment

If you run this tool on your machine, you need to specify parameters `-repo` and `-pr`.

e.g.

```sh

deny-self-approve validate -r suzuki-shunsuke/deny-self-approve -pr 1

```

But in some CI platoforms such as GitHub Actions and CircleCI, you don't need to specify them because this tool gets these parameters automatically from environment variables and files.

This tool uses a library [go-ci-env](https://github.com/suzuki-shunsuke/go-ci-env).