Skip to content

ci: fix Renovate automerge — add bot self-approval workflow#23

Merged
obrien-k merged 1 commit into
orphic-inc:mainfrom
obrien-k:ci/renovate-automerge-approval
Jul 10, 2026
Merged

ci: fix Renovate automerge — add bot self-approval workflow#23
obrien-k merged 1 commit into
orphic-inc:mainfrom
obrien-k:ci/renovate-automerge-approval

Conversation

@obrien-k

Copy link
Copy Markdown
Member

Summary

Renovate's automerge rules were silently inert: branch protection on main requires 1 approving review, and Renovate cannot approve its own PRs. PR #22 (the forced actions/checkout bump) passed all checks and sat REVIEW_REQUIRED/BLOCKED indefinitely — confirmed live before writing this fix.

Changes:

  • New workflow .github/workflows/renovate-approve.yml: approves a PR only when github.actor == 'renovate[bot]', the PR head is same-repo (not a fork), and it carries the automerge label.
  • renovate.json: attach "labels": ["automerge"] only to the pre-decided safe classes (dev-tooling patch/minor where applicable, github-actions digests, lockfile maintenance). Prisma, Docker base images, and majors carry no such label, so they still require a human review — unchanged from the original policy.
  • Also enabled the repo's "Allow auto-merge" setting (was off) — required for Renovate's auto-merge request to take effect even after approval.

Validated offline: npx renovate-config-validator renovate.jsonConfig validated successfully.

Follow-up to #9.

Test plan

  • renovate-config-validator passes
  • Next automerge-eligible PR (github-actions digest / dev-tooling patch-minor / lockfile maintenance) gets bot-approved and merges without a manual click
  • Confirm Prisma / base-image / major PRs still land unlabeled and unapproved by the bot

Branch protection requires 1 approving review on main, and Renovate
cannot approve its own PRs — so every automerge:true rule in
renovate.json was silently inert (PRs sat REVIEW_REQUIRED forever
despite passing checks). Add a workflow that approves a PR only when
it's from renovate[bot], same-repo (not a fork), and carries the
'automerge' label — which renovate.json now attaches only to the
pre-decided safe classes (dev-tooling patch/minor, github-actions
digests, lockfile maintenance). Prisma, base images, and majors carry
no such label and still require a human review.

Also enabled the 'Allow auto-merge' repo setting (was off), required
for Renovate's platformAutomerge request to take effect once approved.
@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@obrien-k obrien-k merged commit 18af66b into orphic-inc:main Jul 10, 2026
2 checks passed
@obrien-k obrien-k deleted the ci/renovate-automerge-approval branch July 10, 2026 20:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant