Skip to content

Commit 3758e89

Browse files
philipbalinovclaude
andcommitted
fix: scope trigger and poll for action_required status
Address review feedback: - Scope workflow_run trigger to "CodeQL Advanced" only - Restrict to version/ branches to narrow the approval surface - Poll run status instead of checking conclusion in the if-condition, since conclusion is unset at the requested event stage Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 811b17b commit 3758e89

1 file changed

Lines changed: 20 additions & 7 deletions

File tree

Lines changed: 20 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,11 @@
11
name: Auto-approve bot workflow runs
22

33
on:
4-
# workflow_run runs in the context of the default branch,
5-
# so it is not itself subject to the approval gate.
4+
# Scoped to CodeQL only — the workflow that requires approval on bot PRs.
5+
# workflow_run runs in the default-branch context, so it is not itself
6+
# subject to the approval gate.
67
workflow_run:
8+
workflows: ["CodeQL Advanced"]
79
types: [requested]
810

911
permissions:
@@ -13,15 +15,26 @@ jobs:
1315
approve:
1416
runs-on: ubuntu-latest
1517
if: >-
16-
github.event.workflow_run.conclusion == 'action_required' &&
17-
contains(fromJSON('["github-actions[bot]","dependabot[bot]"]'), github.event.workflow_run.actor.login)
18+
contains(fromJSON('["github-actions[bot]","dependabot[bot]"]'), github.event.workflow_run.actor.login) &&
19+
startsWith(github.event.workflow_run.head_branch, 'version/')
1820
steps:
19-
- name: Approve workflow run
21+
- name: Approve workflow run if pending
2022
env:
2123
GH_TOKEN: ${{ github.token }}
2224
RUN_ID: ${{ github.event.workflow_run.id }}
2325
ACTOR: ${{ github.event.workflow_run.actor.login }}
2426
REPO: ${{ github.repository }}
2527
run: |
26-
echo "Approving run $RUN_ID triggered by $ACTOR"
27-
gh run approve "$RUN_ID" --repo "$REPO"
28+
# The 'requested' event fires before the conclusion is set.
29+
# Poll briefly for GitHub to settle the run into action_required.
30+
for i in 1 2 3; do
31+
STATUS=$(gh run view "$RUN_ID" --repo "$REPO" --json status --jq '.status')
32+
if [ "$STATUS" = "action_required" ]; then
33+
echo "Approving run $RUN_ID triggered by $ACTOR"
34+
gh run approve "$RUN_ID" --repo "$REPO"
35+
exit 0
36+
fi
37+
echo "Run status is '$STATUS', waiting…"
38+
sleep 10
39+
done
40+
echo "Run $RUN_ID never entered action_required state — skipping"

0 commit comments

Comments
 (0)