Auto-approve workflow for code flow PRs

roji · roji · commit 8a47fe4105b5 · 2026-03-14T07:51:07.000+02:00
diff --git a/.github/workflows/auto-approve-codeflow.yml b/.github/workflows/auto-approve-codeflow.yml
@@ -0,0 +1,121 @@
+name: Auto-approve codeflow PRs
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  auto-approve-codeflow:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dotnet-maestro[bot]'
+    steps:
+      - name: Validate and auto-approve codeflow PR
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+        run: |
+          python3 - <<'PYTHON'
+          import os, re, subprocess, sys
+
+          pr_number = os.environ["PR_NUMBER"]
+          repo = os.environ["GITHUB_REPOSITORY"]
+
+          def gh(*args: str) -> str:
+              result = subprocess.run(
+                  ["gh", *args, "--repo", repo],
+                  capture_output=True, text=True, check=True)
+              return result.stdout
+
+          # ---- allowed files ------------------------------------------------
+          ALLOWED_FILES = {
+              "eng/Version.Details.xml",
+              "eng/Version.Details.props",
+              "eng/Versions.props",
+              "global.json",
+              "NuGet.config",
+          }
+
+          # ---- regex helpers ------------------------------------------------
+          VERSION = r'[0-9]+\.[0-9]+[A-Za-z0-9.\-+]*'
+          SHA     = r'[0-9a-fA-F]{7,40}'
+          BARID   = r'[0-9]+'
+          URL     = r'https://[^\s"<>]+'
+
+          # Patterns per file – every added/removed line must match at least one
+          FILE_PATTERNS: dict[str, list[re.Pattern]] = {
+              "eng/Version.Details.xml": [
+                  re.compile(rf'^\s*<Source\s+Uri="{URL}"\s+Mapping="[^"]+"\s+Sha="{SHA}"\s+BarId="{BARID}"\s*/>\s*$'),
+                  re.compile(rf'^\s*<Sha>{SHA}</Sha>\s*$'),
+                  re.compile(rf'^\s*<Dependency\s+Name="[^"]+"\s+Version="{VERSION}">\s*$'),
+                  re.compile(rf'^\s*<Uri>{URL}</Uri>\s*$'),
+              ],
+              "eng/Version.Details.props": [
+                  re.compile(rf'^\s*<[A-Za-z][A-Za-z0-9]*>{VERSION}</[A-Za-z][A-Za-z0-9]*>\s*$'),
+                  re.compile(r'^\s*<!--.*-->\s*$'),
+              ],
+              "eng/Versions.props": [
+                  re.compile(rf'^\s*<[A-Za-z][A-Za-z0-9]*>{VERSION}</[A-Za-z][A-Za-z0-9]*>\s*$'),
+                  re.compile(r'^\s*<!--.*-->\s*$'),
+              ],
+              "global.json": [
+                  re.compile(rf'^\s*"[^"]+"\s*:\s*"{VERSION}"\s*,?\s*$'),
+              ],
+              "NuGet.config": [
+                  re.compile(rf'^\s*<add\s+key="darc-[^"]+"\s+value="{URL}"\s*/>\s*$'),
+              ],
+          }
+
+          # ---- validate the diff: files and content -------------------------
+          print(f"Validating codeflow PR #{pr_number}...")
+
+          diff_text = gh("pr", "diff", pr_number)
+          current_file: str | None = None
+          errors: list[str] = []
+
+          for raw_line in diff_text.splitlines():
+              if raw_line.startswith("diff --git"):
+                  parts = raw_line.split(" b/")
+                  current_file = parts[-1] if len(parts) >= 2 else None
+                  if current_file and current_file not in ALLOWED_FILES:
+                      errors.append(f"Unexpected file: {current_file}")
+                      current_file = None
+                  continue
+
+              if raw_line.startswith(("---", "+++", "@@", "\\ No newline")):
+                  continue
+
+              if not raw_line.startswith(("+", "-")):
+                  continue
+
+              content = raw_line[1:]
+              if not content.strip():
+                  continue
+
+              if current_file is None:
+                  continue
+
+              patterns = FILE_PATTERNS.get(current_file)
+              if patterns is None:
+                  errors.append(f"No validation patterns for file: {current_file}")
+                  continue
+
+              if not any(p.match(content) for p in patterns):
+                  errors.append(f"Unexpected change in {current_file}: {content.strip()}")
+
+          if errors:
+              for e in errors:
+                  print(f"::notice::{e}")
+              print("::notice::Skipping auto-approve – PR contains unexpected changes")
+              sys.exit(0)
+
+          print("✔ All changes are expected dependency-update patterns")
+
+          # ---- approve the PR ------------------------------------------------
+          gh("pr", "review", pr_number, "--approve",
+             "--body", "Auto-approved: codeflow dependency update PR with only version/SHA bumps in expected files.")
+          print(f"✔ PR #{pr_number} approved")
+          PYTHON
