fix: auto-merge README-sync PR via GitHub App (master is protected)#166
Merged
Conversation
Direct push from the workflow is rejected by branch protection (GH006: changes must be made through a pull request). The job now pushes a branch, opens a PR, and squash-merges it automatically. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
github-actions[bot] opens the README-sync PR, then a GitHub App (APP_ID / APP_PRIVATE_KEY secrets) approves and squash-merges it — a second identity is required because a PR author cannot approve its own PR and GITHUB_TOKEN approvals do not satisfy branch protection. The source branch is deleted on merge. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
da2gl
changed the title
There was a problem hiding this comment.
Pull request overview
Updates the update-readme-deps GitHub Actions workflow to handle protected master by moving README regeneration commits into an auto-managed pull request flow, using a GitHub App identity to provide the required approval/merge capabilities.
Changes:
- Grants workflow
pull-requests: writepermission to open PRs. - Replaces direct pushes to
masterwith: create branch → commit README → open PR. - Mints a GitHub App token to approve and (squash) merge the PR and delete the branch.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Include github.run_attempt in the branch name; github.run_id alone stays constant across re-runs of the same run, so a retry would collide with the already-pushed branch. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
dmitriifeshchenko
approved these changes
Jun 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The merged
update-readme-depsworkflow pushes the regenerated README directly tomaster, which branch protection rejects:masteralso requires an approving review, andGITHUB_TOKENcannot satisfy that (a bot cannot approve its own PR, and token-based approvals don't count).Fix
The workflow now uses two identities:
github-actions[bot](defaultGITHUB_TOKEN) — regenerates the README, pushes a branch, and opens the PR.appodeal-dependabot, viaAPP_ID/APP_PRIVATE_KEYsecrets) — approves and squash-merges the PR.A second identity is mandatory: the PR author can't approve its own PR. The source branch is deleted on merge.
Required setup (before this works)
APP_ID,APP_PRIVATE_KEYappodeal-dependabotinstalled on the repo with Pull requests: write + Contents: writeCODEOWNERSNote
This PR itself needs a one-time human approval to merge (chicken-and-egg). Once merged, subsequent README-sync PRs are approved and merged automatically.
🤖 Generated with Claude Code