feat: add low-risk PR self-approval workflows (#245)

rogeriochaves · web-flow · commit 0a8ddcdd7330 · 2026-03-04T11:53:09.000+01:00
* feat: add low-risk PR self-approval workflows

Add three GitHub Actions workflows and a policy document to enable
self-approval of low-risk PRs (e.g. test config, docs, formatting):

- approval-or-hotfix.yml: enforces that PRs need either 1 approval
  or a "hotfix"/"low-risk-change" label
- low-risk-evaluation.yml: AI-powered evaluation of PR diffs against
  the low-risk policy, auto-labels qualifying PRs
- low-risk-label-reset.yml: removes the label when new commits are
  pushed, requiring re-evaluation
- docs/LOW_RISK_PULL_REQUESTS.md: documents the policy criteria

Ported from langwatch/langwatch with minor adjustments for this repo.

* fix: retrigger approval check on push/rebase

Add opened, reopened, and synchronize to the pull_request trigger
types so the check re-runs after rebases and new commits instead of
going stale and blocking merge.

* fix: auto-run low-risk evaluation on every PR, use dedicated API key

- Trigger evaluation automatically on PR open/reopen/synchronize
  instead of requiring manual workflow_dispatch
- Fold label reset into the evaluation workflow (remove stale label
  first, then re-evaluate fresh) — deletes separate label-reset workflow
- Use LOW_RISK_OPENAI_API_KEY secret for cost tracking
- Keep workflow_dispatch as fallback for manual runs
- Use gpt-4.1-mini instead of gpt-5-mini
diff --git a/.github/workflows/approval-or-hotfix.yml b/.github/workflows/approval-or-hotfix.yml
@@ -0,0 +1,53 @@
+name: Approval or Exception Required
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize, labeled, unlabeled]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  check-approval-or-label:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+
+    steps:
+      - name: Check for approval or exception labels
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const pr = context.payload.pull_request;
+
+            // Labels that allow bypass
+            const exceptionLabels = ["hotfix", "low-risk-change"];
+            const hasExceptionLabel = pr.labels.some(label => exceptionLabels.includes(label.name));
+
+            // Get PR reviews
+            const reviews = await github.rest.pulls.listReviews({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: pr.number,
+            });
+
+            // Count unique approvals
+            const approvedUsers = new Set();
+            for (const review of reviews.data) {
+              if (review.state === "APPROVED") {
+                approvedUsers.add(review.user.login);
+              }
+            }
+
+            const approvalCount = approvedUsers.size;
+
+            if (hasExceptionLabel) {
+              core.info(`PR has exception label (${pr.labels.map(l => l.name).join(", ")}). Passing check.`);
+              return;
+            }
+
+            if (approvalCount >= 1) {
+              core.info(`PR has ${approvalCount} approval(s). Passing check.`);
+              return;
+            }
+
+            core.setFailed("PR requires at least 1 approval, or a label: hotfix / low-risk-change.");
diff --git a/.github/workflows/low-risk-evaluation.yml b/.github/workflows/low-risk-evaluation.yml
@@ -0,0 +1,248 @@
+name: Low-Risk PR Evaluation
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: "PR number to evaluate"
+        required: true
+        type: number
+
+permissions:
+  pull-requests: write
+  contents: read
+
+jobs:
+  evaluate:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Resolve PR number
+        id: pr
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          if [ -n "${{ inputs.pr_number }}" ]; then
+            echo "number=${{ inputs.pr_number }}" >> "$GITHUB_OUTPUT"
+          else
+            echo "number=${{ github.event.pull_request.number }}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Remove stale low-risk-change label
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const prNumber = ${{ steps.pr.outputs.number }};
+            try {
+              await github.rest.issues.removeLabel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                name: "low-risk-change",
+              });
+              core.info(`Removed stale low-risk-change label from PR #${prNumber}.`);
+            } catch (error) {
+              if (error.status !== 404) throw error;
+              core.info("No low-risk-change label to remove.");
+            }
+
+      - name: Fetch PR metadata and diff
+        id: pr-data
+        env:
+          GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ steps.pr.outputs.number }}
+        run: |
+          gh pr view "$PR_NUMBER" --json title,body --template '{{.title}}' > /tmp/pr_title.txt
+          gh pr view "$PR_NUMBER" --json title,body --template '{{.body}}' > /tmp/pr_body.txt
+          gh pr view "$PR_NUMBER" --json files --jq '.files[].path' > /tmp/pr_files.txt
+          gh pr diff "$PR_NUMBER" > /tmp/pr_diff.txt
+
+          # Fail closed if diff exceeds model window — large PRs could hide risky changes
+          DIFF_LIMIT=100000
+          DIFF_SIZE=$(wc -c < /tmp/pr_diff.txt)
+          if [ "$DIFF_SIZE" -gt "$DIFF_LIMIT" ]; then
+            echo "PR diff is ${DIFF_SIZE} chars (> ${DIFF_LIMIT}); too large for automated evaluation."
+            echo "oversized=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "oversized=false" >> "$GITHUB_OUTPUT"
+            cp /tmp/pr_diff.txt /tmp/pr_diff_truncated.txt
+          fi
+
+      - name: Fail fast for oversized diffs
+        id: oversized
+        if: steps.pr-data.outputs.oversized == 'true'
+        run: |
+          echo "qualifies=false" >> "$GITHUB_OUTPUT"
+          echo "scope=Diff too large for automated evaluation" >> "$GITHUB_OUTPUT"
+          echo "reasoning=This PR's diff exceeds the size limit for automated low-risk evaluation. Manual review required." >> "$GITHUB_OUTPUT"
+
+      - name: Check for restricted paths
+        id: path-check
+        if: steps.pr-data.outputs.oversized == 'false'
+        run: |
+          RESTRICTED_PATTERN='^(\.github/workflows/|(auth|security|migrations)/|.*/(auth|security|migrations)/)'
+          if grep -qE "$RESTRICTED_PATTERN" /tmp/pr_files.txt; then
+            echo "Restricted paths detected:"
+            grep -E "$RESTRICTED_PATTERN" /tmp/pr_files.txt
+            echo "blocked=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "blocked=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Fail fast for restricted paths
+        id: restricted
+        if: steps.path-check.outputs.blocked == 'true'
+        run: |
+          echo "qualifies=false" >> "$GITHUB_OUTPUT"
+          echo "scope=Changes include restricted paths (workflows, auth, migrations, etc.)" >> "$GITHUB_OUTPUT"
+          echo "reasoning=This PR modifies files in restricted directories that require manual review per policy." >> "$GITHUB_OUTPUT"
+
+      - name: Evaluate PR with OpenAI
+        id: evaluate
+        if: steps.pr-data.outputs.oversized == 'false' && steps.path-check.outputs.blocked == 'false'
+        env:
+          OPENAI_API_KEY: ${{ secrets.LOW_RISK_OPENAI_API_KEY }}
+        run: |
+          POLICY=$(cat docs/LOW_RISK_PULL_REQUESTS.md)
+          PR_TITLE=$(cat /tmp/pr_title.txt)
+          PR_BODY=$(cat /tmp/pr_body.txt)
+          PR_DIFF=$(cat /tmp/pr_diff_truncated.txt)
+
+          # Build the JSON payload using jq to handle escaping
+          PAYLOAD=$(jq -n \
+            --arg policy "$POLICY" \
+            --arg title "$PR_TITLE" \
+            --arg body "$PR_BODY" \
+            --arg diff "$PR_DIFF" \
+            '{
+              model: "gpt-4.1-mini",
+              temperature: 0,
+              response_format: {
+                type: "json_schema",
+                json_schema: {
+                  name: "low_risk_evaluation",
+                  strict: true,
+                  schema: {
+                    type: "object",
+                    properties: {
+                      qualifies: { type: "boolean", description: "true if the PR meets ALL low-risk criteria" },
+                      reasoning: { type: "string", description: "2-3 sentence explanation of the assessment" },
+                      scope: { type: "string", description: "Brief summary of what the PR changes" }
+                    },
+                    required: ["qualifies", "reasoning", "scope"],
+                    additionalProperties: false
+                  }
+                }
+              },
+              messages: [
+                {
+                  role: "system",
+                  content: ("You evaluate pull requests against a low-risk change policy.\n\nHere is the policy:\n\n" + $policy + "\n\nEvaluate the PR and return JSON with exactly these fields:\n- \"qualifies\": boolean (true if the PR meets ALL low-risk criteria)\n- \"reasoning\": string (2-3 sentence explanation of your assessment)\n- \"scope\": string (brief summary of what the PR changes)")
+                },
+                {
+                  role: "user",
+                  content: ("PR Title: " + $title + "\n\nPR Description:\n" + $body + "\n\nDiff:\n" + $diff)
+                }
+              ]
+            }')
+
+          RESPONSE=$(curl -s --max-time 60 https://api.openai.com/v1/chat/completions \
+            -H "Content-Type: application/json" \
+            -H "Authorization: Bearer $OPENAI_API_KEY" \
+            -d "$PAYLOAD")
+
+          # Extract the assistant's message content
+          RESULT=$(echo "$RESPONSE" | jq -r '.choices[0].message.content')
+
+          if [ "$RESULT" = "null" ] || [ -z "$RESULT" ]; then
+            echo "OpenAI API error:"
+            echo "$RESPONSE" | jq .
+            exit 1
+          fi
+
+          echo "$RESULT" > /tmp/evaluation.json
+
+          QUALIFIES=$(echo "$RESULT" | jq -r '.qualifies')
+          REASONING=$(echo "$RESULT" | jq -r '.reasoning')
+          SCOPE=$(echo "$RESULT" | jq -r '.scope')
+
+          echo "qualifies=$QUALIFIES" >> "$GITHUB_OUTPUT"
+
+          SCOPE_DELIM="$(openssl rand -hex 16)"
+          {
+            echo "scope<<$SCOPE_DELIM"
+            echo "$SCOPE"
+            echo "$SCOPE_DELIM"
+          } >> "$GITHUB_OUTPUT"
+
+          REASONING_DELIM="$(openssl rand -hex 16)"
+          {
+            echo "reasoning<<$REASONING_DELIM"
+            echo "$REASONING"
+            echo "$REASONING_DELIM"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Apply label and comment
+        uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ steps.pr.outputs.number }}
+          QUALIFIES: ${{ steps.oversized.outputs.qualifies || steps.restricted.outputs.qualifies || steps.evaluate.outputs.qualifies }}
+          SCOPE: ${{ steps.oversized.outputs.scope || steps.restricted.outputs.scope || steps.evaluate.outputs.scope }}
+          REASONING: ${{ steps.oversized.outputs.reasoning || steps.restricted.outputs.reasoning || steps.evaluate.outputs.reasoning }}
+        with:
+          script: |
+            const prNumber = parseInt(process.env.PR_NUMBER, 10);
+            const qualifies = process.env.QUALIFIES === 'true';
+            const scope = process.env.SCOPE;
+            const reasoning = process.env.REASONING;
+
+            if (qualifies) {
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                labels: ["low-risk-change"],
+              });
+
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body: [
+                  "**Automated low-risk assessment**",
+                  "",
+                  `This PR was evaluated against the repository's [Low-Risk Pull Requests](docs/LOW_RISK_PULL_REQUESTS.md) procedure.`,
+                  `- **Scope:** ${scope}`,
+                  `- **Exclusions confirmed:** no changes to auth, security settings, database schema, business-critical logic, or external integrations.`,
+                  `- **Classification:** \`low-risk-change\` under the documented policy.`,
+                  "",
+                  `> ${reasoning}`,
+                  "",
+                  "This classification allows merging without manual review once all required CI checks are passing and branch protection rules are satisfied.",
+                ].join("\n"),
+              });
+
+              core.info(`PR #${prNumber} labeled as low-risk-change.`);
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body: [
+                  "**Automated low-risk assessment**",
+                  "",
+                  `This PR was evaluated against the repository's [Low-Risk Pull Requests](docs/LOW_RISK_PULL_REQUESTS.md) procedure and **does not qualify** as low risk.`,
+                  "",
+                  `> ${reasoning}`,
+                  "",
+                  "This PR requires a manual review before merging.",
+                ].join("\n"),
+              });
+
+              core.info(`PR #${prNumber} does not qualify as low-risk.`);
+            }
diff --git a/docs/LOW_RISK_PULL_REQUESTS.md b/docs/LOW_RISK_PULL_REQUESTS.md
@@ -0,0 +1,49 @@
+# Low-Risk Pull Requests
+
+This document describes when a pull request (PR) may be merged without manual review by using the `low-risk-change` label, in line with our ISO 27001 change management process (Annex A 8.32).
+
+## When a PR Is Low Risk
+
+A PR may be treated as **low risk** only if:
+
+- It does **not** change:
+  - Authentication or authorization logic.
+  - Secrets, encryption, or security settings.
+  - Database schemas, migrations, or data models.
+  - Business‑critical logic (e.g. billing, reporting, financial calculations).
+  - Integrations with third‑party systems or external APIs.
+
+- It is limited to:
+  - UI text, layout, or styling.
+  - Documentation, comments, or code formatting.
+  - Test configuration (e.g. adding flaky markers, adjusting timeouts, test fixtures).
+  - Other configuration or code that is explicitly documented as low risk and easy to revert.
+
+If you are unsure, do **not** use `low-risk-change`; request a normal review instead.
+
+## How the Flow Works
+
+1. Create a PR and link it to the relevant issue/ticket.
+2. Describe the change and briefly state why it is low risk.
+3. Optional: run the AI/automation to check the diff and apply the `low-risk-change` label.
+4. The PR can be merged **without review** only if:
+   - The `low-risk-change` label is present.
+   - All required CI checks are green.
+   - The target branch is protected (no direct pushes; status checks required).
+
+PRs that do not meet these conditions must follow the normal review and approval process.
+
+## Label Validity
+
+- The `low-risk-change` label is only valid for the specific diff that was evaluated.
+- Any new commit pushed to the PR after the label was applied must trigger either:
+  - Automatic removal of the `low-risk-change` label, or
+  - Re‑evaluation by the AI/automation, which may re‑apply the label if the updated diff still qualifies as low risk.
+
+## Evidence
+
+For audits, we rely on:
+
+- The issue/ticket linked in the PR.
+- The PR record (diff, author, `low-risk-change` label, AI/automation comments if used).
+- CI and deployment logs from our standard pipeline.
