Skip to content

Latest commit

 

History

History
95 lines (70 loc) · 3.31 KB

AUTOMERGE.md

File metadata and controls

95 lines (70 loc) · 3.31 KB
Raw

Merge pull requests from Renovate automatically under secure settings

In this document, we describe how to set up CI to merge pull requests from Renovate automatically under secure settings.

Goals

  • Merge pull requests from Renovate automatically
  • Forbid users to merge changes without reviews

Secure Settings

Set up branch protections.

  • main
    • Require a pull request before merging
      • Require approvals (1 approval)
      • Dismiss stale pull request approvals when new commits are pushed
      • Require review from Code Owners
      • Require approval of the most recent reviewable push
    • Require status checks to pass before merging
      • Status checks that are required.: status-check
    • Do not allow bypassing the above settings
  • renovate/*
    • Do not allow bypassing the above settings
    • Restrict who can push to matching branches
      • Restrict pushes that create matching branches
        • renovate
        • aqua-update-checksum-renovatepush (GitHub App)
    • Allow deletions

Repository Setting

  • Allow auto-merge

GitHub Apps

Create two GitHub Apps and install them to a repository.

  • aqua-update-checksum-push
    • Use for pull requests from other than Renovate
    • Permissions
      • contents: write: Update aqua-checksums.json and push a commit to a pull request
      • (Optional) pull-requests: write: Update branch by pull request comment
  • aqua-update-checksum-renovatepush
    • Use for pull requests from Renovate
    • Permissions
      • contents: write
        • Update aqua-checksums.json and push a commit to a pull request
        • Enable automerge
      • pull-requests: write
        • Enable Automerge
        • Update branch by pull request comment
      • workflows: write: Enable Automerge of pull request updating GitHub Actions Workflows

If workflows: write is missing, auto-merge is disabled.

auto-merge was automatically disabled 8 minutes ago Tried to create or update workflow without workflows permission

fine-grained personal access token

Create a fine-grained personal access token to approve pull requests from Renovate automatically.

  • permissions:
    • pull-requests: write

The owner of the access token must be a member of the organization, have a write permission, and a codeowner of the repository.

Repository Secrets

Create Repository Secrets.

  • APP_ID: GitHub App ID of aqua-update-checksum-push
  • APP_PRIVATE_KEY: GitHub App Private Key of aqua-update-checksum-push

GitHub Environment

Create a GitHub Environment.

  • renovate
    • deployment branch rule: renovate/*, (Optional) main
      • (Optional) main is required to update branch by pull request comment.
    • Secrets
      • APP_ID: GitHub App ID of aqua-update-checksum-renovatepush
      • APP_PRIVATE_KEY: GitHub App Private Key of aqua-update-checksum-renovatepush
      • GH_TOKEN_APPROVE_RENOVATE_PR: fine-grained personal access token

Code