refactor: Extract auto-approve repo list into a text file#7119
Merged
Conversation
BYK
added a commit
that referenced
this pull request
Feb 10, 2026
## Summary - Add least-privilege `permissions` blocks to the 3 workflows flagged by CodeQL for `actions/missing-workflow-permissions` (alerts #2, #5, #6). - `test.yml`: `contents: read` (only checks out code and runs tests) - `publish.yml`: `contents: read` + `issues: write` (checkout + issue comments/labels/close via `GITHUB_TOKEN`; cross-repo ops use the Release Bot app token) - `auto-approve.yml`: `contents: read` (needed for the sparse checkout being added in #7119; currently no `GITHUB_TOKEN` write usage) Resolves all 3 open code-scanning alerts.
Move the list of auto-approved repos from a long chain of startsWith()
conditions in the workflow YAML into a plain text file (one repo per line).
The workflow now does a sparse checkout of just that file and uses
grep to match the repo extracted from the issue title. The job-level
if-condition still gates on the actor and a 'publish: ' title prefix
so unrelated issues skip the job entirely.
Also removes the getsentry-release actor check (only the GitHub App
bot opens these issues now) and passes the issue title through an env
var instead of inline ${{ }} interpolation to prevent shell injection.
BYK
force-pushed
the
refactor/auto-approve-repo-list
branch
from
58cf800 to
b221b88
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
startsWith()chain in the workflowif:condition into a plain text file (auto-approve-repos.txt), one repo per line.grep -qxFfor exact matching against the repo name extracted from the issue title.if:still gates on the actor and apublish:title prefix so unrelated issues skip the job entirely (no checkout, no token).getsentry-releaseactor check since only the GitHub App bot opens these issues now.envvar instead of inline${{ }}to prevent shell injection.Maintenance
To opt-in a new repo for auto-approval, add a line to
auto-approve-repos.txt. No workflow YAML editing needed.