[chore]: auto-approve release PRs via automation#1433
Conversation
Port approve-by-automation from the release-test repo, scoped to release/v* PRs only (the test version approved all PRs). Without this, the release workflow Merge step fails branch protection (At least 1 approving review is required), as seen on the v3.18.0 attempt. The Jira EM approval remains the real release gate. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for sendbird-uikit-react ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 86ffb5a122
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
|
|
||
| jobs: | ||
| approve-release-pr: | ||
| if: startsWith(github.head_ref, 'release/v') |
There was a problem hiding this comment.
In a same-repository PR whose source branch merely starts with release/v, this job submits an approving review without checking the base branch, actor, or the semver release-branch pattern used by .github/workflows/release-workflow.yml (^release/v[0-9]+\.[0-9]+\.[0-9]+$). That lets any write-access user create something like release/v-anything targeting main and have the one required GitHub approval satisfied by automation, bypassing the human review gate for non-release changes that pass required checks. Please tighten this condition to the exact release branch format and intended target/actor before approving.
Useful? React with 👍 / 👎.
Address Codex P1: the startsWith(release/v) check alone allowed any release/v-prefixed branch targeting main to be auto-approved, bypassing human review. Now require base==main plus the exact semver release-branch pattern (same as release-workflow.yml), and read branch/PR/repo via env vars to avoid expression injection. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2 participants
Summary
Adds
approve-by-automation.ymlto auto-approve release PRs (head branchrelease/v*) so the automated release can merge tomainafter the Jira EM approval, without a manual GitHub review.Without this, the release workflow's
Merge release branch to mainstep fails branch protection —At least 1 approving review is required by reviewers with write access(hit on the v3.18.0 attempt).Scoping & safety
release/v— feature PRs are untouched and still need normal human review.permissions: pull-requests: write(minimum needed to approve).opened/reopened/synchronizeso the approval is re-applied if branch protection dismisses it when the release workflow pushes the CHANGELOG finalize commit.Context
uikit-react-release-testrepo, which had this workflow but it was never carried over to production. (Same class of gap as the missingis_testdispatch input.)Note
This relies on the github-actions bot approval counting toward branch protection's required review (works in the test repo). If production branch protection rejects bot approvals, we'll need a PAT or GitHub App instead.
🤖 Generated with Claude Code