chore(Robot): add auto approve action

[ArgoZhang]

Issues

close #8109

Summary

Add an auto-approve workflow that uses the bb-auto GitHub App to automatically approve pull requests from trusted authors, satisfying the branch protection rule that requires PR approvals.

• Triggers on opened / reopened / synchronize / ready_for_review (re-approves after new pushes in case stale approvals are dismissed)
• Only runs for non-draft PRs authored by accounts in the trusted list (currently ArgoZhang)
• Generates an installation token via actions/create-github-app-token and approves with gh pr review --approve, so the approval comes from bb-auto[bot]

Required configuration (already done)

• bb-auto app installed on this repository with Pull requests: Read and write permission
• Repository secrets: BB_AUTO_APP_ID, BB_AUTO_PRIVATE_KEY

🤖 Generated with Claude Code

Summary by Sourcery

CI:

• Introduce an auto-approve workflow that triggers on specific pull request events for main/master branches and approves non-draft PRs from a configured list of trusted authors using the bb-auto app token.

[sourcery-ai]

Reviewer's Guide

Adds a new GitHub Actions workflow that auto-approves trusted authors’ pull requests using the bb-auto GitHub App to satisfy required-approval branch protections.

Sequence diagram for the new auto-approve CI workflow

sequenceDiagram
    actor PR_Author
    participant GitHub as GitHub
    participant Auto_Approve_Workflow as auto_approve_workflow
    participant Create_GH_App_Token as actions_create_github_app_token
    participant BB_Auto_App as bb_auto_app
    participant GH_CLI as gh_cli

    PR_Author->>GitHub: open/reopen/synchronize/ready_for_review PR
    GitHub->>Auto_Approve_Workflow: trigger pull_request event
    Auto_Approve_Workflow->>Auto_Approve_Workflow: [non_draft & trusted_author]
    Auto_Approve_Workflow->>Create_GH_App_Token: actions/create-github-app-token
    Create_GH_App_Token->>BB_Auto_App: generate installation token
    BB_Auto_App-->>Create_GH_App_Token: installation token
    Create_GH_App_Token-->>Auto_Approve_Workflow: token output
    Auto_Approve_Workflow->>GH_CLI: gh pr review --approve
    GH_CLI->>GitHub: submit review as bb-auto[bot]
    GitHub-->>PR_Author: PR approved by bb-auto[bot]

Loading

File-Level Changes

Change	Details	Files
Introduce auto-approval GitHub Actions workflow for trusted PR authors on main/master branches.	Create .github/workflows/auto-approve.yml workflow triggered on pull_request events (opened, reopened, synchronize, ready_for_review) targeting master and main branches Restrict job execution to non-draft PRs where the author login is in a hard-coded trusted list via an if condition Use actions/create-github-app-token@v2 with BB_AUTO_APP_ID and BB_AUTO_PRIVATE_KEY secrets to mint an installation token for the bb-auto app Use the GitHub CLI gh pr review command with the app token to submit an approving review from bb-auto[bot] including a fixed review body	.github/workflows/auto-approve.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[bb-auto]

Auto approved by bb-auto

[sourcery-ai]

Hey - I've found 1 issue, and left some high level feedback:

• Consider adding an explicit permissions block to the workflow (e.g. pull-requests: write, contents: read) to follow the principle of least privilege instead of relying on the default token permissions.
• If you intend this to work for PRs from forks, note that repository secrets are not exposed to pull_request events from forks; if that’s a requirement, you may need to adjust the event type or approach for obtaining the GitHub App token.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consider adding an explicit `permissions` block to the workflow (e.g. `pull-requests: write`, `contents: read`) to follow the principle of least privilege instead of relying on the default token permissions.
- If you intend this to work for PRs from forks, note that repository secrets are not exposed to `pull_request` events from forks; if that’s a requirement, you may need to adjust the event type or approach for obtaining the GitHub App token.

## Individual Comments

### Comment 1
<location path=".github/workflows/auto-approve.yml" line_range="15-18" />
<code_context>
+      - ready_for_review
+
+jobs:
+  auto_approve:
+    name: auto approve
+    runs-on: ubuntu-latest
+    # 仅对信任的作者自动审批，按需在列表中追加账号
+    if: |
</code_context>
<issue_to_address>
**🚨 suggestion (security):** Explicitly declare required permissions for the workflow to reduce the default permission scope.

This job currently uses the runner’s default token scope. Since it only needs to approve PRs via an app token, you can likely restrict it to minimal permissions (e.g. `permissions: { contents: read }`, or even `permissions: {}` if `create-github-app-token` doesn’t need repo scopes). Tightening `permissions` improves safety and makes intent clearer.

```suggestion
  auto_approve:
    name: auto approve
    runs-on: ubuntu-latest
    # Restrict default GITHUB_TOKEN scope; job primarily uses app token for approvals
    permissions:
      contents: read
    # 仅对信任的作者自动审批，按需在列表中追加账号
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

Adds a GitHub Actions workflow to automatically approve pull requests authored by a trusted account using the bb-auto GitHub App, to satisfy branch protection requirements for approvals.

Changes:

• Introduced .github/workflows/auto-approve.yml to auto-approve non-draft PRs from a trusted author list on key PR events.
• Uses actions/create-github-app-token@v2 to mint an installation token and approves via gh pr review --approve as bb-auto[bot].

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (bb912ea) to head (3356be5).

Additional details and impacted files

@@            Coverage Diff            @@
##              main     #8108   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files          766       766           
  Lines        34204     34204           
  Branches      4696      4696           
=========================================
  Hits         34204     34204           

Flag	Coverage Δ
BB	100.00% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[bb-auto]

Auto approved by bb-auto