covid19-forecast-hub/.github/workflows/auto-merge-authorized-prs.yaml at 72090aab46328c37e7750f123b09d4de2de30666 · CDCgov/covid19-forecast-hub · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: "Auto Merge Authorized PRs"

on:
  workflow_dispatch:
  pull_request_target:
    branches: main
    paths:
      - "model-output/**"
      - "!model-output/README.md"
      - "!model-output/CovidHub-ensemble/**"
      - "!model-output/CovidHub-baseline/**"

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true

jobs:
  check-authorization:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: read
    steps:
      - name: "Checkout Code"
        uses: actions/checkout@v6

      - name: "Set Up hubhelpr"
        uses: cdcgov/hubhelpr/actions/setup-hubhelpr@main

      - name: "Get All Changes"
        id: get_all_changed_files
        uses: step-security/changed-files@v47
        with:
          json: true

      - name: "Check Authorized Users"
        uses: cdcgov/hubhelpr/actions/check-authorized-users@main
        with:
          changed_files: ${{ steps.get_all_changed_files.outputs.all_modified_files }}
          gh_actor: ${{ github.actor }}

  approve-and-merge:
    needs: check-authorization
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: "Generate Installation Token"
        id: get_token
        uses: actions/create-github-app-token@v3
        with:
          app-id: ${{ vars.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_KEY }}

      - name: "Approve PR"
        env:
          GH_TOKEN: ${{ steps.get_token.outputs.token }}
        run: |
          gh pr review ${{ github.event.pull_request.number }} --approve \
            --repo ${{ github.repository }} \
            --body "Changes approved. Thank you for your contribution."

      - name: "Merge PR"
        env:
          GH_TOKEN: ${{ steps.get_token.outputs.token }}
        run: |
          gh pr merge --auto ${{ github.event.pull_request.number }} --squash \
            --repo ${{ github.repository }} \
            --body "PR #${{ github.event.pull_request.number }} was automatically merged because the user is authorized to modify these directories."