Want to learn how to build your own GitHub Actions? Click here

Auto-approve Workflow Action

14 May 2021 in Action Spotlight

Automatically approve workflow execution from new contributors if they're safe to approve

When GitHub disabled automatic workflow runs to prevent crypto miners it made some OSS maintainers lives harder, so I wrote a GitHub Action that automatically approves all pending workflow runs (so long as they don't edit .github/workflows)

Fact Sheet

What does it do?

When a pull request is raised by a first time contributor to a repo, the any workflows that would usually be triggered are set to pending. This is to prevent bad actors abusing actions for things like crypto mining.

Pull request workflow awaiting approval

This is a good thing in general, but it affects all pull requests, not just those that change executables. This was the fastest way to fix the issue as any code that executes could be used to start a mining process.

However, it also impacted projects such as the OctoPrint plugin repository which are primarily non-executable metadata.

This action is intended to run every 5 minutes and approve any pending workflow runs, allowing the maintainer to see all the information they need to review a PR such as linting and tests without having to wait for a build to run.

How does it work?

This action runs on a schedule, fetching any pending workflow runs and automatically approving them if some constraints are met. It requires a personal access token as shown in the GitHub API docs.

Working through the action:

Common use cases

There's only one use case for this action, which is to approve safe workflows to run automatically. This typically involves running processes such as linting or static site generation.

name: Automatic Approve
- cron: "*/5 * * * *"
name: Automatic Approve
runs-on: ubuntu-latest
- name: Automatic Approve
uses: mheap/automatic-approve-[email protected]
token: ${{ secrets.PAT }}
workflows: "pr.yml,lint.yml"
dangerous_files: "build.js"