From b221b88952d257c55c877cb96b3719cf29572359 Mon Sep 17 00:00:00 2001
From: Burak Yigit Kaya <byk@sentry.io>
Date: Wed, 11 Feb 2026 10:02:58 +0000
Subject: [PATCH] refactor: Extract auto-approve repo list into a text file

Move the list of auto-approved repos from a long chain of startsWith()
conditions in the workflow YAML into a plain text file (one repo per line).

The workflow now does a sparse checkout of just that file and uses
grep to match the repo extracted from the issue title. The job-level
if-condition still gates on the actor and a 'publish: ' title prefix
so unrelated issues skip the job entirely.

Also removes the getsentry-release actor check (only the GitHub App
bot opens these issues now) and passes the issue title through an env
var instead of inline ${{ }} interpolation to prevent shell injection.
---
 .github/workflows/auto-approve.yml | 58 ++++++++----------------------
 auto-approve-repos.txt             | 37 +++++++++++++++++++
 2 files changed, 51 insertions(+), 44 deletions(-)
 create mode 100644 auto-approve-repos.txt

diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml
index 97343ae..dd8add0 100644
--- a/.github/workflows/auto-approve.yml
+++ b/.github/workflows/auto-approve.yml
@@ -10,56 +10,26 @@ jobs:
   auto-approve:
     runs-on: ubuntu-latest
     if: |
-      ( 
-        github.actor == 'getsentry-release' ||
-        github.actor == 'sentry-release-bot[bot]'
-      ) && (
-        startsWith(github.event.issue.title, 'publish: getsentry/arroyo@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/auto-type-annotate@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/devenv@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/infra-event-notifier@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/jest-sentry-environment@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/js-source-scopes@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/json-schema-diff@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/objectstore/clients@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/ophio@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/pdb@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/pyo3-python-tracing-subscriber@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/pytest-sentry@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/relay/py@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/responses@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/rust-proguard@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/rust-sourcemap@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/rust-usage-accountant@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/script-runner@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/sentry-forked-django-stubs@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/sentry-forked-djangorestframework-stubs@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/sentry-forked-jsonnet@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/sentry-infra-tools@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/sentry-kafka-management@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/sentry-kafka-schemas@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/sentry-protos@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/sentry-redis-tools@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/service-registry@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/skrooge@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/snuba-sdk@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/statsdproxy@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/status-page-list@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/streams/sentry_streams@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/symbolic@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/taskbroker/clients@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/usage-accountant@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/watto@') ||
-        startsWith(github.event.issue.title, 'publish: getsentry/sentry-api-schema@') ||
-        false
-      )
+      github.actor == 'sentry-release-bot[bot]' &&
+      startsWith(github.event.issue.title, 'publish: ')
     steps:
+      - uses: actions/checkout@v4
+        with:
+          sparse-checkout: auto-approve-repos.txt
+          sparse-checkout-cone-mode: false
       - name: Get auth token
         id: token
         uses: actions/create-github-app-token@v2.2.1
         with:
           app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
           private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
-      - run: gh issue edit ${{ github.event.issue.html_url }} --add-label accepted
+      - name: Auto-approve if repo is in the list
         env:
           GH_TOKEN: ${{ steps.token.outputs.token }}
+          ISSUE_TITLE: ${{ github.event.issue.title }}
+          ISSUE_URL: ${{ github.event.issue.html_url }}
+        run: |
+          REPO=$(echo "$ISSUE_TITLE" | sed -n 's/^publish: \(.*\)@.*/\1/p')
+          if [ -n "$REPO" ] && grep -qxF "$REPO" auto-approve-repos.txt; then
+            gh issue edit "$ISSUE_URL" --add-label accepted
+          fi
diff --git a/auto-approve-repos.txt b/auto-approve-repos.txt
new file mode 100644
index 0000000..8abcd12
--- /dev/null
+++ b/auto-approve-repos.txt
@@ -0,0 +1,37 @@
+getsentry/arroyo
+getsentry/auto-type-annotate
+getsentry/devenv
+getsentry/infra-event-notifier
+getsentry/jest-sentry-environment
+getsentry/json-schema-diff
+getsentry/js-source-scopes
+getsentry/objectstore/clients
+getsentry/ophio
+getsentry/pdb
+getsentry/pyo3-python-tracing-subscriber
+getsentry/pytest-sentry
+getsentry/relay/py
+getsentry/responses
+getsentry/rust-proguard
+getsentry/rust-sourcemap
+getsentry/rust-usage-accountant
+getsentry/script-runner
+getsentry/sentry-api-schema
+getsentry/sentry-forked-djangorestframework-stubs
+getsentry/sentry-forked-django-stubs
+getsentry/sentry-forked-jsonnet
+getsentry/sentry-infra-tools
+getsentry/sentry-kafka-management
+getsentry/sentry-kafka-schemas
+getsentry/sentry-protos
+getsentry/sentry-redis-tools
+getsentry/service-registry
+getsentry/skrooge
+getsentry/snuba-sdk
+getsentry/statsdproxy
+getsentry/status-page-list
+getsentry/streams/sentry_streams
+getsentry/symbolic
+getsentry/taskbroker/clients
+getsentry/usage-accountant
+getsentry/watto