Skip to content

ci: add renovate auto-approve workflow#35

Merged
jimisola merged 1 commit intomainfrom
ci/add-renovate-approve-workflow
Mar 7, 2026
Merged

ci: add renovate auto-approve workflow#35
jimisola merged 1 commit intomainfrom
ci/add-renovate-approve-workflow

Conversation

@jimisola
Copy link
Member

@jimisola jimisola commented Mar 7, 2026

Summary

  • Add caller workflow for the centralised Renovate auto-approve reusable workflow in reqstool/.github
  • When Renovate opens a PR, this workflow approves it using `GITHUB_TOKEN`, satisfying the required-review branch protection rule
  • Unblocks Renovate's existing auto-merge setting so PRs merge automatically once checks pass

🤖 Generated with Claude Code

ci: add renovate auto-approve workflow
134b87e 
Calls the centralised reusable workflow in reqstool/.github to
auto-approve Renovate PRs, satisfying the required-review branch
protection rule and unblocking Renovate's auto-merge.

Signed-off-by: jimisola <jimisola@jimisola.com>
@jimisola jimisola self-assigned this Mar 7, 2026
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 7, 2026
View reviewed changes
.github/workflows/renovate-approve.yml

jobs:
approve:
uses: reqstool/.github/.github/workflows/renovate-approve.yml@main

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 13 days ago

To fix the problem, add an explicit permissions: block that grants only the minimal required permissions for this workflow. Because this job only delegates to a reusable workflow via uses:, the caller should still define its own permissions; the called workflow cannot gain more permissions than the caller provides. The safest general default when you don’t know the exact needs is contents: read, which matches GitHub’s recommended minimal baseline and satisfies the CodeQL rule by explicitly constraining the GITHUB_TOKEN.

The best minimal change here is to add a permissions: section at the top level of the workflow (just under name: and before on:). This will apply to all jobs (including approve, which doesn’t define its own permissions:), without changing how the job is structured or how it calls the reusable workflow. No imports or additional methods are needed—this is purely a YAML configuration change in .github/workflows/renovate-approve.yml around lines 1–4.

Suggested changeset 1
.github/workflows/renovate-approve.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/renovate-approve.yml b/.github/workflows/renovate-approve.yml
--- a/.github/workflows/renovate-approve.yml
+++ b/.github/workflows/renovate-approve.yml
@@ -1,4 +1,6 @@
 name: Renovate auto-approve
+permissions:
+  contents: read
 
 on:
   pull_request:
EOF
@@ -1,4 +1,6 @@
name: Renovate auto-approve
permissions:
contents: read

on:
pull_request:
Copilot is powered by AI and may make mistakes. Always verify output.
@jimisola jimisola merged commit 994ddb9 into main Mar 7, 2026
6 checks passed
@jimisola jimisola deleted the ci/add-renovate-approve-workflow branch March 7, 2026 18:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@jimisola jimisola

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jimisola