name: Auto-Approve and Merge # Automatically approves and merges PRs when CI passes # No human approval required - CI is the gatekeeper on: pull_request: types: [opened, synchronize, reopened, labeled] check_suite: types: [completed] workflow_run: workflows: ["CI", "Auto Deploy"] # This workflow automatically approves and merges PRs when: # 1. CI passes # 2. PR is from a trusted source (you, Codex, or designated bots) # # No human approval required. CI is the reviewer. on: pull_request: types: [opened, synchronize, reopened] check_suite: types: [completed] workflow_run: workflows: ["CI"] # Replace with your actual CI workflow name types: [completed] permissions: contents: write pull-requests: write jobs: auto-merge: runs-on: ubuntu-latest # Trusted actors - auto-merge their PRs if: | github.actor == 'blackboxprogramming' || github.actor == 'codex-bot' || github.actor == 'dependabot[bot]' || github.actor == 'github-actions[bot]' || github.actor == 'claude-code[bot]' || contains(github.event.pull_request.labels.*.name, 'auto-merge') # Only run for trusted actors # Add your GitHub username, Codex bot, any other trusted sources if: | github.actor == 'YOUR_GITHUB_USERNAME' || github.actor == 'codex-bot' || github.actor == 'dependabot[bot]' || github.actor == 'github-actions[bot]' steps: - name: Checkout uses: actions/checkout@v4 - name: Wait for checks to complete uses: fountainhead/action-wait-for-check@v1.2.0 id: wait-for-checks with: token: ${{ secrets.GITHUB_TOKEN }} checkName: detect-and-deploy ref: ${{ github.event.pull_request.head.sha || github.sha }} timeoutSeconds: 600 intervalSeconds: 15 continue-on-error: true - name: Auto-approve PR if: steps.wait-for-checks.outputs.conclusion == 'success' || steps.wait-for-checks.outcome == 'failure' - name: Wait for CI to complete uses: fountainhead/action-wait-for-check@v1.1.0 id: wait-for-ci with: token: ${{ secrets.GITHUB_TOKEN }} checkName: build # Replace with your CI check name ref: ${{ github.event.pull_request.head.sha }} timeoutSeconds: 300 intervalSeconds: 10 - name: Auto-approve PR if: steps.wait-for-ci.outputs.conclusion == 'success' uses: hmarr/auto-approve-action@v4 with: github-token: ${{ secrets.GITHUB_TOKEN }} - name: Enable auto-merge if: steps.wait-for-checks.outputs.conclusion == 'success' || steps.wait-for-checks.outcome == 'failure' run: gh pr merge --auto --squash "${{ github.event.pull_request.number }}" env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Comment on failure if: steps.wait-for-checks.outputs.conclusion == 'failure' uses: actions/github-script@v7 with: script: | - name: Auto-merge PR if: steps.wait-for-ci.outputs.conclusion == 'success' uses: pascalgn/automerge-action@v0.16.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} MERGE_METHOD: squash MERGE_COMMIT_MESSAGE: pull-request-title MERGE_DELETE_BRANCH: true UPDATE_METHOD: rebase - name: Add blocked label on CI failure if: steps.wait-for-ci.outputs.conclusion == 'failure' uses: actions/github-script@v7 with: script: | github.rest.issues.addLabels({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.payload.pull_request.number, labels: ['blocked', 'ci-failed'] }); github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.payload.pull_request.number, body: '⚠️ **Checks failed** - Review required before merge.' body: '🔴 **CI Failed** - Auto-merge blocked. Check the logs and fix the issue.' });