ci(auto-approve): post approval reviews on routine-authored PRs via Triage Bot App#3488
ci(auto-approve): post approval reviews on routine-authored PRs via Triage Bot App#3488bokelley wants to merge 1 commit into
Conversation
The Claude Code triage routine opens PRs as @bokelley (the only GitHub identity available in the Anthropic routine console), which means the project owner cannot approve their own PRs and branch protection forces admin-merge for everything the routine produces. Add a separate auto-approver workflow that uses the AAO Triage Bot GitHub App to post approving reviews on PRs that are: - Routine-authored (head branch starts with `claude/` or `auto/`) - Not draft - All CI checks green (success / neutral / skipped only) - No `do-not-auto-approve` label Triggers on pull_request_target (every PR event), check_suite.completed (when CI lands), and workflow_dispatch (manual fire). Idempotent — skips if the bot already approved the current head_sha. Required repo secrets: - TRIAGE_BOT_APP_ID - TRIAGE_BOT_APP_PRIVATE_KEY The App needs `pull_requests:write` + `contents:read` and must be installed on this repo. If the secrets are missing, the workflow fails fast at the token-generation step (no silent skip). Opt-out: add the `do-not-auto-approve` label to any PR that needs human eyes (e.g., feature work the routine couldn't fully verify). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Reviewed during PR triage spin. The implementation is sound for what it claims (App-identity approval, branch filter, CI-green gate, idempotency, opt-out label, fast-fail on missing secrets). But two prerequisites need to land before this actually unblocks the routine bottleneck: 1. CODEOWNERS gate, not just review-count gateBranch ruleset on
Every routine PR touches Three options:
Recommend (a). Schema PRs and workflow PRs would still need your review, which is the right tradeoff. 2. Secret names don't matchRepo has
3. Minor implementation notes
Suggest landing CODEOWNERS narrowing first, then the App registration, then this workflow. |
|
Agreed on all three points. The workflow code stands as-is; the two prerequisites are external to this diff. On CODEOWNERS (item 1): Option (a) — removing On the App identity (item 2): The per-purpose-keys principle is correct; reusing Sequencing confirmed: CODEOWNERS narrowing → App registration + secrets → merge this workflow. PR will stay as a draft until both prerequisites are in place. Generated by Claude Code |
|
Blocked on infra setup — the workflow expects To land this, we need to:
Leaving open as a tracking PR until that infra is in place. Admin-merge has been working fine in the meantime. — Triage 2026-05-13 |
1 participant
Solves the structural admin-merge bottleneck. The Claude Code routine opens PRs as @bokelley (the only GitHub identity available in the Anthropic routine console), so I can't approve my own PRs — branch protection forces admin-merge.
Adds
.github/workflows/auto-approve-routine-prs.ymlthat uses the AAO Triage Bot GitHub App as a separate approver identity.Approval criteria
claude/orauto/do-not-auto-approvelabelTriggers
pull_request_target— every PR event re-evaluatescheck_suite.completed— fires when CI landsworkflow_dispatch— manual fire with PR numberIdempotent — skips if the bot already approved the current head_sha.
Required secrets
TRIAGE_BOT_APP_IDTRIAGE_BOT_APP_PRIVATE_KEYYou said the App is already registered. If the secret names differ, just rename in the workflow.
The App needs:
pull_requests:write(to post reviews)contents:read(to read CI status)Escape hatch
do-not-auto-approvelabel on any PR that needs real human eyes (feature work where you don't trust CI to be sufficient signal).Test plan
TRIAGE_BOT_APP_ID/TRIAGE_BOT_APP_PRIVATE_KEYexist in repo secrets (or update names in the workflow)claude/branch, verify auto-approve fires after CI greenbokelley/branch PR does not get auto-approveddo-not-auto-approvelabel blocks approval🤖 Generated with Claude Code