hmarr · Aug 30, 2022 · Sep 1, 2022 · Sep 21, 2022 · Oct 14, 2022 · Oct 14, 2022
Showing with 24 additions and 16 deletions.

+22 −14 README.md

+1 −1 action.yml

+1 −1 package.json
diff --git a/README.md b/README.md
@@ -4,11 +4,11 @@
 
 Automatically approve GitHub pull requests.
 
-**Important:** use v2 or later, as v1 was designed for the initial GitHub Actions beta, and no longer works.
+**Important:** use v3 or later, as v2 uses Node.js 12, which is deprecated. If you're on an old version of GHES (earlier than 3.4) you may need to use v2 until you can upgrade. v1 was designed for the initial GitHub Actions beta, and no longer works.
 
 ## Usage instructions
 
-Create a workflow file (e.g. `.github/workflows/auto-approve.yml`) that contains a step that `uses: hmarr/auto-approve-action@v2`. Here's an example workflow file:
+Create a workflow file (e.g. `.github/workflows/auto-approve.yml`) that contains a step that `uses: hmarr/auto-approve-action@v3`. Here's an example workflow file:
 
 ```yaml
 name: Auto approve
@@ -20,24 +20,24 @@ jobs:
     permissions:
       pull-requests: write
     steps:
-      - uses: hmarr/auto-approve-action@v2
+      - uses: hmarr/auto-approve-action@v3
 ```
 
 Combine with an `if` clause to only auto-approve certain users. For example, to auto-approve [Dependabot][dependabot] pull requests, use:
 
 ```yaml
 name: Auto approve
 
-on: pull_request
+on: pull_request_target
 
 jobs:
   auto-approve:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
+    if: github.actor == 'dependabot[bot]'
     steps:
-      - uses: hmarr/auto-approve-action@v2
-        if: github.actor == 'dependabot[bot]'
+      - uses: hmarr/auto-approve-action@v3
 ```
 
 If you want to use this action from a workflow file that doesn't run on the `pull_request` or `pull_request_target` events, use the `pull-request-number` input:
@@ -57,7 +57,7 @@ jobs:
     permissions:
       pull-requests: write
     steps:
-    - uses: hmarr/auto-approve-action@v2
+    - uses: hmarr/auto-approve-action@v3
       with:
         pull-request-number: ${{ github.event.inputs.pullRequestNumber }}
 ```
@@ -67,38 +67,46 @@ Optionally, you can provide a message for the review:
 ```yaml
 name: Auto approve
 
-on: pull_request
+on: pull_request_target
 
 jobs:
   auto-approve:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
+    if: github.actor == 'dependabot[bot]'
     steps:
-      - uses: hmarr/auto-approve-action@v2
-        if: github.actor == 'dependabot[bot]'
+      - uses: hmarr/auto-approve-action@v3
         with:
           review-message: "Auto approved automated PR"
 ```
 
+### Approving on behalf of a different user
+
 By default, this will use the [automatic GitHub token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) that's provided to the workflow. This means the approval will come from the "github-actions" bot user. Make sure you enable the `pull-requests: write` permission in your workflow.
 
-To approve the pull request as a different user, pass a GitHub Personal Access Token into the `github-token` input:
+To approve the pull request as a different user, pass a GitHub Personal Access Token into the `github-token` input. In order to approve the pull request, the token needs the `repo` scope enabled.
 
 ```yaml
 name: Auto approve
 
-on: pull_request
+on: pull_request_target
 
 jobs:
   auto-approve:
     runs-on: ubuntu-latest
     steps:
-      - uses: hmarr/auto-approve-action@v2
+      - uses: hmarr/auto-approve-action@v3
         with:
           github-token: ${{ secrets.SOME_USERS_PAT }}
 ```
 
+### Approving Dependabot pull requests
+
+When a workflow is run in response to a Dependabot pull request using the `pull_request` event, the workflow won't have access to secrets. If you're trying to use a Personal Access Token (as above) but getting an error on Dependabot pull requests, this is probably why.
+
+Fortunately the fix is simple: use the `pull_request_target` event instead of `pull_request`. This runs the workflow in the context of the base branch of the pull request, which does have access to secrets.
+
 ## Why?
 
 GitHub lets you prevent merges of unapproved pull requests. However, it's occasionally useful to selectively circumvent this restriction - for instance, some people want Dependabot's automated pull requests to not require approval.
@@ -111,4 +119,4 @@ If you're using a [CODEOWNERS file](https://docs.github.com/en/github/creating-c
 
 ## Development and release process
 
-Each major version corresponds to a branch (e.g. `v1`, `v2`). The latest major version (`v2` at the time of writing) is the repository's default branch. Releases are tagged with semver-style version numbers (e.g. `v1.2.3`).
+Each major version corresponds to a branch (e.g. `v2`, `v3`). The latest major version (`v3` at the time of writing) is the repository's default branch. Releases are tagged with semver-style version numbers (e.g. `v1.2.3`).
diff --git a/action.yml b/action.yml
@@ -15,5 +15,5 @@ inputs:
     description: '(optional) The message of the pull request review.'
     required: false
 runs:
-  using: 'node12'
+  using: 'node16'
   main: 'dist/index.js'
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "auto-approve-action",
-  "version": "2.1.0",
+  "version": "3.0.0",
   "description": "Automatically approve pull requests",
   "main": "dist/main.ts",
   "scripts": {