Skip to content

Fix dependabot auto-approve workflow GitHub Actions permission error #163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
cayossarian merged 3 commits into from
Jan 19, 2026
Merged

Fix dependabot auto-approve workflow GitHub Actions permission error #163

cayossarian merged 3 commits into from
Jan 19, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 19, 2026
edited by cursor bot
Loading

The dependabot auto-approve workflow fails with GraphQL: GitHub Actions is not permitted to approve pull requests because the default GITHUB_TOKEN cannot approve PRs via gh pr review --approve.

Changes

  • Replaced gh pr review --approve with hmarr/auto-approve-action@v4 - Uses GitHub API method compatible with default GITHUB_TOKEN
  • Changed trigger from pull_request to pull_request_target - Required for Dependabot PRs to access workflow secrets
  • Added contextual review messages - Include dependency names and update type
# Before
- run: gh pr review --approve "$PR_URL"
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# After  
- uses: hmarr/auto-approve-action@v4
  with:
    review-message: "Auto-approved ${{ steps.metadata.outputs.update-type }} update for ${{ steps.metadata.outputs.dependency-names }}"

Security boundary unchanged: workflow only runs for github.actor == 'dependabot[bot]' and doesn't execute PR code.

Original prompt

help me fix this action error - Run echo "Auto-approving dependabot/fetch-metadata"
Auto-approving dependabot/fetch-metadata
failed to create review: GraphQL: GitHub Actions is not permitted to approve pull requests. (addPullRequestReview)
Error: Process completed with exit code 1.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Note

Ensures Dependabot PRs can be auto-approved and tweaks CI pre-commit behavior.

  • Dependabot workflow: switched to pull_request_target and replaced gh pr review --approve with hmarr/auto-approve-action@v4, adding contextual review-message; still gated to github.actor == 'dependabot[bot]'
  • CI: pre-commit now skips poetry-lock and poetry-check via SKIP env in ci.yml

Written by Cursor Bugbot for commit ecbbc02. This will update automatically on new commits. Configure here.

@cayossarian
Fix dependabot auto-approve workflow using hmarr/auto-approve-action@v4
3f10b90 
Co-authored-by: cayossarian <23534755+cayossarian@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix error in auto-approving dependabot fetch-metadata Fix dependabot auto-approve workflow GitHub Actions permission error Jan 19, 2026
Copilot AI requested a review from cayossarian January 19, 2026 06:28
@cayossarian
Skip poetry-lock and poetry-check pre-commit hooks in CI
ecbbc02 
CI modifies pyproject.toml to replace path dependencies with PyPI versions,
which causes the poetry-lock hook to fail since the lock file differs.
Since CI already runs poetry lock explicitly, these checks are redundant.
@cayossarian cayossarian marked this pull request as ready for review January 19, 2026 06:45
@cayossarian cayossarian merged commit 3290e2a into main Jan 19, 2026
7 checks passed
@cayossarian cayossarian deleted the copilot/fix-dependabot-approval-error branch January 19, 2026 06:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cayossarian cayossarian Awaiting requested review from cayossarian

Assignees

@cayossarian cayossarian

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cayossarian