diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml index 927a77a..73c01fb 100644 --- a/.github/workflows/auto-merge.yml +++ b/.github/workflows/auto-merge.yml @@ -7,8 +7,7 @@ on: - main permissions: - contents: write - pull-requests: write + contents: read jobs: auto-merge: @@ -19,41 +18,47 @@ jobs: with: fetch-depth: 0 - - name: Check for changes in allowed paths - id: check_changes - uses: dorny/paths-filter@v3 - with: - filters: | - safe_changes: - - 'docs/**' - - 'assets/**' - # Add your specific folders here - - - name: Verify if ONLY safe paths were changed - id: verify_exclusive - # We need to ensure that the user didn't change 'docs/' AND 'src/core/security.js' - # The paths-filter action returns 'true' if matches are found, but we need to ensure - # NO files outside those paths were changed. + - name: Get changed files + id: changed_files run: | - # Get list of all changed files - CHANGED_FILES=$(gh pr diff ${{ github.event.pull_request.number }} --name-only) - - # Logic to check if any file falls OUTSIDE the allowed folders - # This is a critical security step. - # (Simplified for brevity; in production, use a script to compare the lists) - - if [[ "${{ steps.check_changes.outputs.safe_changes }}" == "true" ]]; then - echo "Safe changes detected." - else - echo "Unsafe changes or mixed content. Skipping auto-merge." - exit 1 - fi + FILES=$(gh pr diff ${{ github.event.pull_request.number }} --name-only) + echo "files<> $GITHUB_OUTPUT + echo "$FILES" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Auto Merge - if: steps.check_changes.outputs.safe_changes == 'true' + - name: Check if only safe paths changed + id: check_safe + run: | + SAFE=true + while IFS= read -r file; do + if [[ ! "$file" =~ ^docs/ && ! "$file" =~ ^assets/ ]]; then + echo "Unsafe file: $file" + SAFE=false + break + fi + done <<< "${{ steps.changed_files.outputs.files }}" + echo "safe=$SAFE" >> $GITHUB_OUTPUT + + - name: Generate GitHub App token + if: steps.check_safe.outputs.safe == 'true' + id: app_token + uses: actions/create-github-app-token@v1 + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + + - name: Approve PR + if: steps.check_safe.outputs.safe == 'true' + run: | + gh pr review ${{ github.event.pull_request.number }} --approve --body "Auto-approved: changes only in docs/ or assets/" + env: + GH_TOKEN: ${{ steps.app_token.outputs.token }} + + - name: Enable auto-merge + if: steps.check_safe.outputs.safe == 'true' run: | - gh pr merge ${{ github.event.pull_request.number }} --merge --auto --subject "Auto-merge based on folder rules" + gh pr merge ${{ github.event.pull_request.number }} --merge --auto env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GH_TOKEN: ${{ steps.app_token.outputs.token }} diff --git a/docs/README.md b/docs/README.md index ec74c24..11fa3cc 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1,3 +1,4 @@ # Test Begins -1. Added branch protection and trying to push to main \ No newline at end of file +1. Added branch protection and trying to push to main +1. Raising a PR. \ No newline at end of file