ci: harden auto-approve against self-modification (handle #159)#160
Merged
Conversation
… learnings Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
- Make wf-changes detection resilient (|| echo) so it cannot fail the job after the approve step has run. - Use || echo on enable auto-merge (pattern from patchloom) so the workflow run succeeds even on GITHUB_TOKEN fallback for workflow-touching PRs. - Approval step remains early and unconditional for trusted actors. - Update AGENTS.md gotcha note with the resilience details and reference to patchloom + ci-branch-protection. This ensures reviews are submitted (when PR events run the main definition) and Auto-approve check reports success for such infra PRs. Fixes #159 Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
SebTardif
added a commit
that referenced
this pull request
Jun 22, 2026
…fter #160 (#161) The specific emergency procedure (bypass + --admin) for PRs that touch auto-approve.yml is no longer required. The landed fix ensures the review is submitted early and the workflow run succeeds. Updated wording in AGENTS.md (and cross-referenced skills) to reflect the resolution of #159. The general emergency hatch for other auto-approve breakage remains documented in ci-branch-protection. Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resilient auto-approve for PRs that modify auto-approve.yml itself (and other workflow files).
Changes
.github/workflows/auto-approve.yml:|| echo ""so transient errors do not fail the job (Approve PR step is first).|| echo "..."so step succeeds on fallback (GITHUB_TOKEN) or restrictions. Matches pattern used in patchloom/patchloom.AGENTS.md: Updated the self-modification note to describe the early-approve + resilient-later-steps design. References patchloom and ci-branch-protection for emergency.Why
GitHub only runs "push" validation (0 jobs, failure) for the changed workflow definition on the feature branch. pull_request runs use main's definition. With approval before wf/merge logic, and non-fatal merge step, reviews are added and the Auto-approve status is green when it runs.
Rare cases may still need the bypass hatch (documented).
Fixes #159.
See also patchloom's working auto-approve.yml and ~/.grok/skills/ci-branch-protection/SKILL.md .