Skip to content

Comments

Add agentic workflow for auto-approving dependency PRs#2906

Merged
plengauer merged 11 commits intomainfrom
copilot/approve-dependency-pull-requests
Feb 16, 2026
Merged

Add agentic workflow for auto-approving dependency PRs#2906
plengauer merged 11 commits intomainfrom
copilot/approve-dependency-pull-requests

Conversation

Copy link
Contributor

Copilot AI commented Feb 14, 2026
edited
Loading

Implements automated approval for pull requests containing only dependency updates or version bumps from Renovate bot or repository owner.

Implementation

  • Agentic workflow (.github/workflows/auto-approve-renovate-prs.md) using gh-aw v0.43.23

    • Triggers on PR opened/synchronized/reopened/ready_for_review events
    • AI agent verifies: non-draft status, trusted authors only, dependency-only changes
    • Conservative approval logic: rejects on any uncertainty

  • Custom safe-outputs job for PR approval via GitHub API

    • Separate job with pull-requests: write permission
    • Main agent runs read-only with GitHub toolsets (repos, pull_requests, actions)
    • Reads approval body from agent output artifact

  • Allowed file changes:

    • Dependency files: package.json, requirements.txt, pom.xml, meta/debian/control, meta/rpm/*.spec, .github/images.json
    • Root-level VERSION file

Agent verification flow

1. Check PR draft status → reject if draft
2. List all commits → verify authors (renovate[bot] or plengauer only)
3. Get changed files → ensure only dependencies/VERSION modified
4. Review diffs → confirm no code logic changes
5. Approve with detailed comment if ALL criteria met

Security

  • Strict mode: minimal permissions, template injection protection via env vars
  • Permission separation: agent (read) → approval job (write)
  • Same-repo PRs only (forks blocked)
  • CodeQL: 0 alerts

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • github.github.com
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /usr/bin/rm mktemp /usr/bin/git -p y, .value.used, /tmp/tmp.4g1FJd4IAk_opentelemetry_shell_2788.observation_handle.pipe�� /usr/bin/rm git erva�� ad180516:.github/workflows/auto-approve-renovate-prs.lock.yml .github/AUTO-APPROVE-WORKFLOW-README.md /usr/bin/mkfifo auer/opentelemetsleep mktemp /usr/bin/mkfifo mkfifo (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /usr/bin/cut sleep /usr/bin/mktemp /usr/bin/rm cut /usr/bin/rm mktemp pipe�� -p /tmp /usr/bin/mkfifo /usr/bin/sleep rm /usr/bin/mkfifo mkfifo (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.43.23
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.43.23 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.43.23 --jq .object.sha --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.43.23 --jq .object.sha /home/REDACTED/work/Thoth/Thoth/.github/workflows y, .value.used, .value.remaining] | @tsv /home/REDACTED/work/_temp/ghcca-node/node/bin/bash (http block)
  • https://api.github.com/user
    • Triggering command: /usr/bin/gh gh api user --jq .login (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login /home/REDACTED/work/_temp/runtime-logs/user.env ame t[bot] (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login --global credential.helper /usr/local/bin/git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Create a workflow for GitHub Agentic Workflows using https://raw.githubusercontent.com/github/gh-aw/main/create.md

The purpose of the workflow is to react to all pushes to pull requests. if the pull request is not a draft, and its branch only has pushes from renovate bot or the repository owner, and the changes only adjust dependencies or bump the version in the root level VERSION file, the pull request should be approved. the approval should only be issued if the above conditions are true beyond any reasonable doubt

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 4 commits February 14, 2026 04:45
@plengauer
Add GitHub Agentic Workflow for auto-approving dependency PRs
48f156e 
Co-authored-by: plengauer <100447901+plengauer@users.noreply.github.com>
@plengauer
Add documentation for auto-approve workflow
823a659 
Co-authored-by: plengauer <100447901+plengauer@users.noreply.github.com>
@plengauer
Fix approve-pr job to correctly read agent output and add body parameter
55f734d 
Co-authored-by: plengauer <100447901+plengauer@users.noreply.github.com>
@plengauer
Clarify Renovate bot email pattern in author verification
58cb0db 
Co-authored-by: plengauer <100447901+plengauer@users.noreply.github.com>
Copilot AI changed the title [WIP] Add workflow to approve dependency pull requests Add agentic workflow for auto-approving dependency PRs Feb 14, 2026
Copilot AI requested a review from plengauer February 14, 2026 04:50
@plengauer
Refine auto-approve criteria and env variable usage
8862cad 
Updated the auto-approve Renovate PRs workflow to refine criteria for automatic approval and streamline environment variable usage.
@plengauer
Delete .github/AUTO-APPROVE-WORKFLOW-README.md
c83d6f3
@plengauer
Delete .gitattributes
9025551
@plengauer plengauer marked this pull request as ready for review February 14, 2026 11:25
@plengauer plengauer requested a review from moflwi as a code owner February 14, 2026 11:25
Copilot AI review requested due to automatic review settings February 14, 2026 11:25
@plengauer plengauer enabled auto-merge (squash) February 14, 2026 11:26
Copilot AI reviewed Feb 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces an automated approval workflow for pull requests containing only dependency updates or version bumps from trusted sources (Renovate bot and repository owner). It uses GitHub Agentic Workflows (gh-aw v0.43.23) to implement an AI-powered approval agent with conservative safety criteria.

Changes:

  • Added agentic workflow definition file (.github/workflows/auto-approve-renovate-prs.md) with AI agent instructions, trigger configuration, and custom safe-outputs job for PR approval
  • Added compiled workflow file (.github/workflows/auto-approve-renovate-prs.lock.yml) auto-generated by gh-aw, containing the complete GitHub Actions workflow with agent execution, threat detection, and permission-separated approval job

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/auto-approve-renovate-prs.md Workflow definition with AI agent instructions for verifying PR draft status, author trustworthiness, and dependency-only file changes. Includes custom safe-outputs job for PR approval via GitHub API.
.github/workflows/auto-approve-renovate-prs.lock.yml Auto-generated compiled workflow with complete job orchestration: pre-activation (team membership check), agent execution (with firewall and MCP servers), threat detection, safe-outputs processing, approval job (pull-requests: write), and conclusion handling.

@plengauer plengauer marked this pull request as draft February 15, 2026 23:04
auto-merge was automatically disabled February 15, 2026 23:04

Pull request was converted to draft

@plengauer plengauer marked this pull request as ready for review February 15, 2026 23:06
Copilot AI review requested due to automatic review settings February 15, 2026 23:06
@plengauer plengauer enabled auto-merge (squash) February 15, 2026 23:06
Copilot AI reviewed Feb 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

@plengauer
Refactor autoapprove workflow to streamline approval
e80d834 
Removed unnecessary inputs and simplified approval step.
@plengauer plengauer merged commit 61ad9fb into main Feb 16, 2026
663 of 667 checks passed
@plengauer plengauer deleted the copilot/approve-dependency-pull-requests branch February 16, 2026 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@moflwi moflwi moflwi approved these changes

+1 more reviewer

@plengauer plengauer plengauer approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@plengauer plengauer

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@moflwi @plengauer