In this document, we describe how to set up CI to merge pull requests from Renovate automatically under secure settings.
- Merge pull requests from Renovate automatically
- Forbid users to merge changes without reviews
Set up branch protections.
main
Require a pull request before merging
Require approvals
(1 approval)Dismiss stale pull request approvals when new commits are pushed
Require review from Code Owners
Require approval of the most recent reviewable push
Require status checks to pass before merging
Status checks that are required.
:status-check
Do not allow bypassing the above settings
renovate/*
Do not allow bypassing the above settings
Restrict who can push to matching branches
Restrict pushes that create matching branches
renovate
aqua-update-checksum-renovatepush
(GitHub App)
Allow deletions
- Allow auto-merge
Create two GitHub Apps and install them to a repository.
aqua-update-checksum-push
- Use for pull requests from other than Renovate
- Permissions
contents: write
: Updateaqua-checksums.json
and push a commit to a pull request- (Optional)
pull-requests: write
: Update branch by pull request comment
aqua-update-checksum-renovatepush
- Use for pull requests from Renovate
- Permissions
contents: write
- Update
aqua-checksums.json
and push a commit to a pull request - Enable automerge
- Update
pull-requests: write
- Enable Automerge
- Update branch by pull request comment
workflows: write
: Enable Automerge of pull request updating GitHub Actions Workflows
If workflows: write
is missing, auto-merge is disabled.
auto-merge was automatically disabled 8 minutes ago Tried to create or update workflow without
workflows
permission
Create a fine-grained personal access token to approve pull requests from Renovate automatically.
- permissions:
pull-requests: write
The owner of the access token must be a member of the organization, have a write permission, and a codeowner of the repository.
Create Repository Secrets.
APP_ID
: GitHub App ID ofaqua-update-checksum-push
APP_PRIVATE_KEY
: GitHub App Private Key ofaqua-update-checksum-push
Create a GitHub Environment.
renovate
- deployment branch rule:
renovate/*
, (Optional)main
- (Optional)
main
is required to update branch by pull request comment.
- (Optional)
- Secrets
APP_ID
: GitHub App ID ofaqua-update-checksum-renovatepush
APP_PRIVATE_KEY
: GitHub App Private Key ofaqua-update-checksum-renovatepush
GH_TOKEN_APPROVE_RENOVATE_PR
: fine-grained personal access token
- deployment branch rule:
- .github/workflows/*.yaml
- aqua
- aqua.yaml
- aqua/*.yaml
- aqua-checksums.json: This is autogenerated.
- renovate.json5