Skip to content

Use bot PAT for auto-merge approvals and require code owner reviews#377

Merged
ydesgagn merged 2 commits into
masterfrom
update-20260510-025357
May 10, 2026
Merged

Use bot PAT for auto-merge approvals and require code owner reviews#377
ydesgagn merged 2 commits into
masterfrom
update-20260510-025357

Conversation

@ydesgagn
Copy link
Copy Markdown
Contributor

@ydesgagn ydesgagn commented May 10, 2026

Summary

Switches the auto-merge approval workflow to use a bot Personal Access Token instead of the default GITHUB_TOKEN, transfers ownership from an individual to the Cloud-Officer/maintainers team in CODEOWNERS, and enables require_code_owner_reviews on protected branches so code owner approval is enforced.

Key changes:

  • Update .github/CODEOWNERS to assign ownership to @Cloud-Officer/maintainers (team) instead of @ydesgagn.
  • Update .github/workflows/auto-merge.yml to authenticate the approve step with secrets.GH_BOT_PAT instead of secrets.GITHUB_TOKEN.
  • Update lib/ghb/auto_merge_manager.rb to generate the auto-merge workflow with the new GH_BOT_PAT secret.
  • Update lib/ghb/repository_configurator.rb to set require_code_owner_reviews: true on protected branches.
  • Update spec/ghb/auto_merge_manager_spec.rb to assert the approve step uses secrets.GH_BOT_PAT.

Types of changes

  • Bugfix (fixes an issue)
  • New feature (adds functionality)
  • Refactoring (improves code without changing functionality)
  • Breaking change (incompatible changes)
  • Build or security update (updates dependencies, libraries, or security patches)
  • Code style or documentation update (formatting, renaming, or documentation changes)
  • Other (please describe):

Checklist

  • Unit tests added to validate my fix/feature
  • I have manually tested my change
  • I did not add automation test. Why ?:
  • Database changes requiring migration with downtime or reprocessing of existing data
  • The SOUP file lists the risk Level, requirements and verification reasoning associated with each library
  • readme.md includes sections on introduction, installation, usage, and contributing
  • docs/architecture.md includes sections on the architecture diagram, software units, software of unknown provenance, critical algorithms and risk controls related to PII and security
  • Impact on PII, privacy regulations (CCPA/GDPR/PIPEDA), CIS benchmarks or security (availability/confidentiality/integrity); management must be notified

github-actions[bot]
github-actions Bot previously approved these changes May 10, 2026
View reviewed changes
@ydesgagn @claude
Align repository_configurator_spec with require_code_owner_reviews: true
9bda47a 
The branch-protection PUT body in repository_configurator.rb was changed
to require_code_owner_reviews: true so the bot's approval (issued via
the GH_BOT_PAT machine-user) can satisfy the code-owner review rule.
The spec assertion still expected false, breaking the rspec macOS job.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@ydesgagn ydesgagn merged commit 4bd4c71 into master May 10, 2026
16 checks passed
@ydesgagn ydesgagn deleted the update-20260510-025357 branch May 10, 2026 10:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ydesgagn