Auto approval for environment in GitHub actions workflow does not work

Question

I have manual approval setup for GitHub actions using environment viz item1,item2 and approver as actor name mohtashims

Below is my workflow where I wish actor mohtashims to auto-approve environment item1 and item2 for deploy job matrix.

I tried using the solution here: https://github.com/activescott/automate-environment-deployment-approval

However, it does not auto-approve as seen in the snapshots below, and waits for manual approval by the actor mohtashims

name: NEW Environment Approval Workflow

on:
  push:
    branches:
      - main

jobs:
   
  deploy:
    name: Deploy to Environments
    runs-on: ubuntu-latest
    needs: auto_approve
    strategy:
      matrix:
        environment: [item1, item2]

    environment: ${{ matrix.environment }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      # Add steps to build and package your application

      - name: Deploy to ${{ matrix.environment }} environment
        run: |
          echo "I run post approval for ${{ matrix.environment }}"

  auto_approve:
    runs-on: ubuntu-latest
    steps:
      - name: Auto Approve Deploys
        # you can use any @vN.N.N tag from https://github.com/activescott/automate-environment-deployment-approval/releases
        uses: activescott/automate-environment-deployment-approval@main
        with:
          github_token: ${{ secrets.GH_TOKEN_FOR_AUTO_APPROVING_DEPLOYS }}
          environment_allow_list: |
            item1
            item2
          # The below automatically approves dependabot and anything submitted by the Github user with login "activescott"
          actor_allow_list: |
            dependabot[bot]          
            mohtashims    

The logs clearly says that auto-approval is registered for both item1 and item2

Run activescott/automate-environment-deployment-approval@main
input environments_to_approve: [ 'item1', 'item2' ]
input actors_to_approve: [ 'dependabot[bot]', 'mohtashims' ]
Deployment 'Update main.yml' (8224974043) to environment 'item1' will be approved...
Deployment 'Update main.yml' (8224974044) to environment 'item1' will be approved...
Notice: Found 2 deploys that should be approved...
Approving deployment to item1 triggered by mohtashims for run Update main.yml...
Notice: Approved deployment to item1 triggered by mohtashims for run Update main.yml.
Approving deployment to item1 triggered by mohtashims for run Update main.yml...
Notice: Approved deployment to item1 triggered by mohtashims for run Update main.yml.

As you see in the snapshot below its past 9 minutes and both item1 and item2 do not get auto-approved is the issue I'm reporting here.

Am I missing anything? Kindly suggest.

I feel there could be an issue with the third-party workflow for auto-approval out of our scope.

Eventually, my objective would be to get partial approval done using auto-approval like only item2 and not item1 Could you suggest a different solution for auto-approval to work?

I need the solution to work for both windows and non-Windows runners. Sample test case would be great to have.

Answer 1

The environments

I replicated your scenario by having two environments:

• item1
• item2.

On these I did set myself as a reviewer:

Personal access token

Then I did create a classic personal access token, but as described in activescott/automate-environment-deployment-approval's README a fine-grained would also work. I gave it the repo permission.

I created a repository secret for the PAT called GH_TOKEN_FOR_AUTO_APPROVING_DEPLOYS.

Auto approval workflow

The first workflow that I created is .github/workflows/auto-approval.yml and looks like this:

name: Auto approval

on: [deployment, workflow_dispatch]

jobs:
  auto_approve:
    runs-on: ubuntu-latest
    steps:
      - name: Auto Approve Deploys
        uses: activescott/[email protected]
        with:
          github_token: ${{ secrets.GH_TOKEN_FOR_AUTO_APPROVING_DEPLOYS }}
          environment_allow_list: |
            item1
            item2
          actor_allow_list: |
            dependabot[bot]
            VincentVerweij

I took release version v1.0.6 as a best practice, putting that release's GIT SHA ccde97a would be more secure as the maintainer cannot alter that.

The deployment trigger for this workflow is required to act on any deployments that you will create (which you do for you matrix job).

Deployment workflow

Then we have your workflow which requires an automatic approval, I created one .github/workflows/matrices.yml and it has these contents:

name: Go matrix go

on:
  push:
    branches:
      - main

jobs:
   
  deploy:
    name: Deploy to Environments
    runs-on: ubuntu-latest
    strategy:
      matrix:
        environment: [item1, item2]

    environment: ${{ matrix.environment }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      # Add steps to build and package your application

      - name: Deploy to ${{ matrix.environment }} environment
        run: |
          echo "I run post approval for ${{ matrix.environment }}"

Results

Now when I am starting the matrices.yml workflow, you will notice that it is waiting for approval.

And immediately after that, the auto-approval.yml is triggered automatically. Twice, because we have 2 deployments because of our matrix which starts a deployment for environment item 1 and item 2. This can also be seen by the workflow run names:

Those auto-approval.yml workflow runs did perform the approval in my name: