ci(workflows): add auto-review

- replaces `approve-pr`

Signed-off-by: Lexus Drumgold <unicornware@flexdevelopment.llc>

.dictionary.txt

@@ -21,6 +21,7 @@ groupby
 hmarr
 iife
 infile
+jchen
 kaisugi
 keyid
 ksort

.github/dependabot.yml

@@ -20,8 +20,6 @@ updates:
     labels:
       - scope:dependencies
       - type:ci
-    reviewers:
-      - flex-development/dependabot-review
     schedule:
       interval: daily
   - package-ecosystem: npm
@@ -62,7 +60,5 @@ updates:
       - type:build
     registries:
       - github
-    reviewers:
-      - flex-development/dependabot-review
     schedule:
       interval: daily

.github/infrastructure.yml

@@ -23,6 +23,7 @@ branches:
         checks:
           - context: add-to-project
           - context: auto-merge
+          - context: auto-review
           - context: build
           - context: changelog
           - context: codecov/changes
@@ -243,7 +244,3 @@ repository:
   visibility: public
   vulnerability_alerts: true
   web_commit_signoff_required: true
-# https://docs.github.com/rest/teams/teams#add-or-update-team-repository-permissions
-teams:
-  - team_slug: dependabot-review
-    permission: triage

.github/workflows/auto-review.yml

@@ -0,0 +1,67 @@
+# Auto Review
+#
+# Automatically approve pull requests by privileged actors after all status checks are successfully
+# completed.
+#
+# References:
+#
+# - https://cli.github.com/manual/gh_auth_status
+# - https://cli.github.com/manual/gh_pr_review
+# - https://docs.github.com/actions/learn-github-actions/contexts
+# - https://docs.github.com/actions/learn-github-actions/expressions
+# - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#pull_request
+# - https://docs.github.com/actions/using-workflows/using-github-cli-in-workflows
+# - https://docs.github.com/actions/using-workflows/workflow-commands-for-github-actions
+# - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#pull_request
+# - https://github.com/actions/checkout
+# - https://github.com/actions/create-github-app-token
+# - https://github.com/hmarr/debug-action
+# - https://github.com/jchen1/wait-for-green
+
+---
+name: auto-review
+on: pull_request
+concurrency:
+  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.ref }}
+jobs:
+  auto-review:
+    if: |
+      github.event.pull_request.draft == false &&
+      github.event.pull_request.state == 'open' &&
+      contains(vars.PRIVILEGED_ACTORS, github.actor)
+    runs-on: ubuntu-latest
+    steps:
+      - id: debug
+        name: Print environment variables and event payload
+        uses: hmarr/debug-action@v2.1.0
+      - id: bot-token
+        name: Get bot token
+        uses: actions/create-github-app-token@v1.5.0
+        with:
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_PRIVATE_KEY }}
+      - id: github-token
+        name: Set $GITHUB_TOKEN from bot token
+        run: echo "GITHUB_TOKEN=${{ steps.bot-token.outputs.token }}" >>$GITHUB_ENV
+      - id: gh-auth
+        name: Check gh authentication state
+        run: gh auth status
+      - id: checkout
+        name: Checkout ${{ github.head_ref }}
+        uses: actions/checkout@v4.1.1
+        with:
+          persist-credentials: false
+          ref: ${{ github.head_ref }}
+          token: ${{ steps.bot-token.outputs.token }}
+      - id: status-checks
+        name: Wait for status checks to complete
+        uses: jchen1/wait-for-green@v1.0.8
+        with:
+          commit: ${{ github.head_ref }}
+          ignored_checks: ${{ github.workflow }}
+          token: ${{ steps.bot-token.outputs.token }}
+      - id: approve
+        if: fromJson(steps.status-checks.outputs.success)
+        name: Approve pull request
+        run: gh pr review ${{ github.event.number }} --approve --body='lgtm 👍🏾'

.github/workflows/infrastructure.yml

@@ -11,12 +11,13 @@
 # References:
 #
 # - https://docs.github.com/actions/learn-github-actions/contexts
+# - https://docs.github.com/actions/learn-github-actions/expressions
 # - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#push
 # - https://docs.github.com/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
 # - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#push
 # - https://docs.github.com/webhooks-and-events/webhooks/webhook-events-and-payloads#workflow_dispatch
-# - https://github.com/actions-cool/check-user-permission
 # - https://github.com/actions/checkout
+# - https://github.com/actions/create-github-app-token
 # - https://github.com/flex-development/rice-action
 # - https://github.com/hmarr/debug-action
 
@@ -36,26 +37,27 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   infrastructure:
+    if: contains(vars.ADMINS, github.actor)
     runs-on: ubuntu-latest
     steps:
       - id: debug
         name: Print environment variables and event payload
         uses: hmarr/debug-action@v2.1.0
-      - id: check-actor-permission
-        name: Check @${{ github.actor }} permission level
-        uses: actions-cool/check-user-permission@v2.2.0
+      - id: bot-token
+        name: Get bot token
+        uses: actions/create-github-app-token@v1.5.0
         with:
-          require: admin
-          username: ${{ github.actor }}
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_PRIVATE_KEY }}
       - id: checkout
-        name: Checkout ${{ github.ref_name }}
+        name: Checkout ${{ github.ref_name }}@${{ github.sha }}
         uses: actions/checkout@v4.1.1
         with:
           persist-credentials: false
-          ref: ${{ github.ref }}
+          ref: ${{ github.sha }}
+          token: ${{ steps.bot-token.outputs.token }}
       - id: update
-        if: steps.check-actor-permission.outputs.require-result == 'true'
         name: Update repository infrastructure
         uses: flex-development/rice-action@1.0.0
         with:
-          token: ${{ secrets.PAT_REPO }}
+          token: ${{ steps.bot-token.outputs.token }}