From 86ffb5a1226797b16ea218648ea20f83f2c96c16 Mon Sep 17 00:00:00 2001 From: Tyler Jeong Date: Wed, 27 May 2026 17:55:25 +0900 Subject: [PATCH 1/2] [chore]: auto-approve release PRs via automation Port approve-by-automation from the release-test repo, scoped to release/v* PRs only (the test version approved all PRs). Without this, the release workflow Merge step fails branch protection (At least 1 approving review is required), as seen on the v3.18.0 attempt. The Jira EM approval remains the real release gate. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/approve-by-automation.yml | 22 +++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/approve-by-automation.yml diff --git a/.github/workflows/approve-by-automation.yml b/.github/workflows/approve-by-automation.yml new file mode 100644 index 000000000..cda8044f1 --- /dev/null +++ b/.github/workflows/approve-by-automation.yml @@ -0,0 +1,22 @@ +name: Approve by automation + +on: + pull_request: + types: [opened, reopened, synchronize] + +permissions: + pull-requests: write + +jobs: + approve-release-pr: + if: startsWith(github.head_ref, 'release/v') + runs-on: ubuntu-latest + steps: + - name: Approve release pull request + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh pr review "${{ github.event.pull_request.number }}" \ + --approve \ + --body "Auto-approved: release branch PR. Release is gated by the Jira EM approval." \ + --repo "${{ github.repository }}" From 219d61bc0f24479b642de2062a40c7b9ed6bdef4 Mon Sep 17 00:00:00 2001 From: Tyler Jeong Date: Wed, 27 May 2026 18:10:24 +0900 Subject: [PATCH 2/2] [chore]: restrict release auto-approval to exact release/vX.Y.Z on main Address Codex P1: the startsWith(release/v) check alone allowed any release/v-prefixed branch targeting main to be auto-approved, bypassing human review. Now require base==main plus the exact semver release-branch pattern (same as release-workflow.yml), and read branch/PR/repo via env vars to avoid expression injection. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/approve-by-automation.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/approve-by-automation.yml b/.github/workflows/approve-by-automation.yml index cda8044f1..1bb553c62 100644 --- a/.github/workflows/approve-by-automation.yml +++ b/.github/workflows/approve-by-automation.yml @@ -9,14 +9,21 @@ permissions: jobs: approve-release-pr: - if: startsWith(github.head_ref, 'release/v') + if: github.base_ref == 'main' && startsWith(github.head_ref, 'release/v') runs-on: ubuntu-latest steps: - name: Approve release pull request env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + HEAD_REF: ${{ github.head_ref }} + PR_NUMBER: ${{ github.event.pull_request.number }} + REPO: ${{ github.repository }} run: | - gh pr review "${{ github.event.pull_request.number }}" \ + if ! printf '%s' "$HEAD_REF" | grep -qE '^release/v[0-9]+\.[0-9]+\.[0-9]+$'; then + echo "Not an exact release/vX.Y.Z branch ('$HEAD_REF'); skipping auto-approval." + exit 0 + fi + gh pr review "$PR_NUMBER" \ --approve \ - --body "Auto-approved: release branch PR. Release is gated by the Jira EM approval." \ - --repo "${{ github.repository }}" + --body "Auto-approved: release branch PR (release/vX.Y.Z). Release is gated by the Jira EM approval." \ + --repo "$REPO"