SandeepVaman · SandeepVaman · Dec 16, 2025 · Dec 15, 2025 · Dec 16, 2025 · Dec 16, 2025
diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
@@ -7,8 +7,7 @@ on:
       - main
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   auto-merge:
@@ -19,41 +18,47 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Check for changes in allowed paths
-        id: check_changes
-        uses: dorny/paths-filter@v3
-        with:
-          filters: |
-            safe_changes:
-              - 'docs/**'
-              - 'assets/**'
-              # Add your specific folders here
-
-      - name: Verify if ONLY safe paths were changed
-        id: verify_exclusive
-        # We need to ensure that the user didn't change 'docs/' AND 'src/core/security.js'
-        # The paths-filter action returns 'true' if matches are found, but we need to ensure
-        # NO files outside those paths were changed.
+      - name: Get changed files
+        id: changed_files
         run: |
-          # Get list of all changed files
-          CHANGED_FILES=$(gh pr diff ${{ github.event.pull_request.number }} --name-only)
-
-          # Logic to check if any file falls OUTSIDE the allowed folders
-          # This is a critical security step.
-          # (Simplified for brevity; in production, use a script to compare the lists)
-
-          if [[ "${{ steps.check_changes.outputs.safe_changes }}" == "true" ]]; then
-            echo "Safe changes detected."
-          else
-             echo "Unsafe changes or mixed content. Skipping auto-merge."
-             exit 1
-          fi
+          FILES=$(gh pr diff ${{ github.event.pull_request.number }} --name-only)
+          echo "files<<EOF" >> $GITHUB_OUTPUT
+          echo "$FILES" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Auto Merge
-        if: steps.check_changes.outputs.safe_changes == 'true'
+      - name: Check if only safe paths changed
+        id: check_safe
+        run: |
+          SAFE=true
+          while IFS= read -r file; do
+            if [[ ! "$file" =~ ^docs/ && ! "$file" =~ ^assets/ ]]; then
+              echo "Unsafe file: $file"
+              SAFE=false
+              break
+            fi
+          done <<< "${{ steps.changed_files.outputs.files }}"
+          echo "safe=$SAFE" >> $GITHUB_OUTPUT
+
+      - name: Generate GitHub App token
+        if: steps.check_safe.outputs.safe == 'true'
+        id: app_token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: Approve PR
+        if: steps.check_safe.outputs.safe == 'true'
+        run: |
+          gh pr review ${{ github.event.pull_request.number }} --approve --body "Auto-approved: changes only in docs/ or assets/"
+        env:
+          GH_TOKEN: ${{ steps.app_token.outputs.token }}
+
+      - name: Enable auto-merge
+        if: steps.check_safe.outputs.safe == 'true'
         run: |
-          gh pr merge ${{ github.event.pull_request.number }} --merge --auto --subject "Auto-merge based on folder rules"
+          gh pr merge ${{ github.event.pull_request.number }} --merge --auto
         env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ steps.app_token.outputs.token }}
diff --git a/docs/README.md b/docs/README.md
@@ -1,3 +1,4 @@
 # Test Begins
 
-1. Added branch protection and trying to push to main
+1. Added branch protection and trying to push to main
+1. Raising a PR.