From 94d99ad0a78da15de62daedd170c9b37843969ea Mon Sep 17 00:00:00 2001 From: Sebastien Tardif Date: Sat, 6 Jun 2026 08:40:47 -0700 Subject: [PATCH] fix: use App token for auto-merge to unblock post-merge events When GITHUB_TOKEN enables auto-merge, the resulting merge is attributed to github-actions[bot]. GitHub suppresses all events from GITHUB_TOKEN, so the pull_request:closed and push events never fire. This prevents the post-merge workflow from running (no auto-update of open PR branches, no CI/security/scorecard triggers on main). Fix: use the patchloom-release App token for gh pr merge --auto. Events from GitHub App tokens are not suppressed, so post-merge triggers correctly. Also skips both the token generation and auto-merge steps for release PRs (patchloom-release[bot] author) so the maintainer controls release timing. Signed-off-by: Sebastien Tardif --- .github/workflows/auto-approve.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/auto-approve.yml b/.github/workflows/auto-approve.yml index a7fe82d..cfdcab7 100644 --- a/.github/workflows/auto-approve.yml +++ b/.github/workflows/auto-approve.yml @@ -32,8 +32,15 @@ jobs: - uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4.0.0 + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 + if: github.event.pull_request.user.login != 'patchloom-release[bot]' + id: app-token + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Enable auto-merge if: github.event.pull_request.user.login != 'patchloom-release[bot]' env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ steps.app-token.outputs.token }} run: gh pr merge --auto --squash "${{ github.event.pull_request.number }}" --repo "${{ github.repository }}"