Change GITHUB_TOKEN to PRIVACY_CONFIG_PAT #4224

Summary
Jobs
- auto_respond
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/auto-respond-pr.yml at 4f2b0ce

	# Auto Respond to PR Workflow
	#
	# This workflow automatically generates and posts diff comments showing changes to generated configuration files.
	#
	# ## Generated Diff Output Guide:
	# - X files changed: Multiple files with identical changes (collapsed for readability)
	# - X files identical: Files that are exactly the same between base and PR branches
	# - File headers: Show `--- filename (and X other files)` when multiple files share the same diff
	# - File lists: Individual files are listed under each collapsed section
	# - Sections: `latest` (current config version, expanded) and `legacy` (older versions, collapsed)
	#
	# The diff script groups files by their actual changes to reduce noise and improve review efficiency.

	name: Auto Respond to PR

	on:
	pull_request:
	types:
	- opened
	- synchronize
	paths:
	- '**.json'
	- '**.js'
	- '**.yml'

	jobs:
	auto_respond:
	runs-on: ubuntu-latest

	steps:
	- name: Create comment
	if: github.event.action == 'opened'
	uses: peter-evans/create-or-update-comment@v4
	with:
	issue-number: ${{ github.event.pull_request.number }}
	body: \|
	👋 Don't forget to add an individual reviewer (in addition to those auto-added), as this will create a task for them in Asana.
	- The best reviewer is most likely a feature or platform owner.
	- If they've got permission to approve, you're good to merge. See [CODEOWNERS](https://github.com/duckduckgo/privacy-configuration/blob/main/CODEOWNERS)
	- As a fallback the Global owners are:
	- [Breakage AOR](https://github.com/orgs/duckduckgo/teams/breakage-aor)
	- [Breakage triagers](https://github.com/orgs/duckduckgo/teams/breakage)
	- [Config AOR](https://github.com/orgs/duckduckgo/teams/config-aor)

	👉 Please mark this as DRAFT unless there's an intention to merge this immediately.
	👉 Click "Merge when ready" if you're happy for this to be automatically merged once reviewed. (If not available, ensure you've signed in to DuckDuckGo oauth.)
	👉 Don't forget to add schema changes to validate if you're adding/changing a feature.

	- [Config Reviewer Documentation](https://app.asana.com/0/1200890834746050/1204443212791216/f)
	- [Config Maintainer Documentation](https://app.asana.com/0/1200890834746050/1200573250322769/f)
	- [Feature Implementer Documentation](https://app.asana.com/0/1200890834746050/1201498956177210/f)

	- name: Checkout base branch
	uses: actions/checkout@v5
	with:
	ref: ${{ github.event.pull_request.base.ref }}
	repository: ${{ github.event.pull_request.head.repo.full_name }}
	path: base

	- name: Checkout PR branch
	uses: actions/checkout@v5
	with:
	ref: ${{ github.event.pull_request.head.ref }}
	repository: ${{ github.event.pull_request.head.repo.full_name }}
	path: pr
	fetch-depth: 0

	- name: Install dependencies
	run: \|
	npm install diff fast-json-patch

	- name: Run build script on base branch
	run: \|
	cd base
	npm install
	node index.js
	cd ..

	- name: Run build script on PR branch
	run: \|
	cd pr
	git config --global user.email "dax@duck.com"
	git config --global user.name "dax"
	git rebase -X theirs origin/${{ github.event.pull_request.base.ref }}
	npm install
	node index.js
	cd ..

	- name: Create diff of file outputs
	run: node pr/.github/scripts/diff-directories.js base/generated pr/generated > diff_output.txt

	- name: Create JSON approval analysis
	run: node pr/.github/scripts/json-diff-directories.js base/generated pr/generated > approval_output.txt

	- name: Check changed files
	id: check_files
	run: \|
	cd pr
	# Get list of changed files
	changed_files=$(git diff --name-only origin/${{ github.event.pull_request.base.ref }}...HEAD)
	echo "Changed files:"
	echo "$changed_files"

	# Check if all changed files are JSON files in overrides/ or features/
	valid_changes=true
	while IFS= read -r file; do
	if [[ ! "$file" =~ ^(overrides\|features)/.+\.json$ ]]; then
	echo "❌ Invalid file change detected: $file"
	echo "Only JSON files in overrides/ and features/ directories are allowed for auto-approval"
	valid_changes=false
	fi
	done <<< "$changed_files"

	if [ "$valid_changes" = true ]; then
	echo "✅ All changed files are valid JSON files in allowed directories"
	echo "files_valid=true" >> $GITHUB_OUTPUT
	else
	echo "files_valid=false" >> $GITHUB_OUTPUT
	fi

	- name: Parse approval output
	id: approval
	run: \|
	if grep -q "AUTO-APPROVED" approval_output.txt; then
	echo "approved=true" >> $GITHUB_OUTPUT
	else
	echo "approved=false" >> $GITHUB_OUTPUT
	fi

	- name: Find Previous Diff Comment
	uses: peter-evans/find-comment@v3
	id: find_diff_comment
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-author: 'github-actions[bot]'
	body-includes: 'Generated file outputs'
	direction: last

	- name: Find Previous Approval Comment
	uses: peter-evans/find-comment@v3
	id: find_approval_comment
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-author: 'github-actions[bot]'
	body-includes: 'JSON approval analysis'
	direction: last

	- name: Create Diff Comment Body
	uses: actions/github-script@v7
	id: create_diff_body
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	script: \|
	const fs = require('fs');
	const diffOutput = fs.readFileSync('diff_output.txt', 'utf8');
	let commentBody = `
	### [Generated file outputs](https://github.com/duckduckgo/privacy-configuration/blob/main/.github/workflows/auto-respond-pr.yml#L5-L12):
	Time updated: ${new Date().toUTCString()}
	${diffOutput}
	`
	if (commentBody.length > 65536) {
	commentBody = '❌ Generated diff output is too large to post as a comment, run locally to see the diff and validate'
	}
	core.setOutput('comment_body', commentBody);

	- name: Wait for Cursor Bugbot
	uses: fountainhead/action-wait-for-check@v1.2.0
	id: wait-for-build
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	checkName: Cursor Bugbot
	ref: ${{ github.event.pull_request.head.sha }}
	timeoutSeconds: 600

	- name: Auto approve
	if: steps.wait-for-build.outputs.conclusion == 'success' && steps.approval.outputs.approved == 'true' && steps.check_files.outputs.files_valid == 'true'
	run: \|
	gh pr review --approve "$PR_URL"
	env:
	PR_URL: ${{ github.event.pull_request.html_url }}
	GITHUB_TOKEN: ${{ secrets.PRIVACY_CONFIG_PAT }}

	- name: Create Approval Comment Body
	uses: actions/github-script@v7
	id: create_approval_body
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	script: \|
	const fs = require('fs');
	const approvalOutput = fs.readFileSync('approval_output.txt', 'utf8');
	let commentBody = `
	### [🔴 BETA JSON approval analysis](https://github.com/duckduckgo/privacy-configuration/blob/main/.github/workflows/auto-respond-pr.yml#L5-L12):
	Time updated: ${new Date().toUTCString()}
	${approvalOutput}
	`
	if (commentBody.length > 65536) {
	commentBody = '❌ Approval analysis output is too large to post as a comment, run locally to see the analysis and validate'
	}
	core.setOutput('comment_body', commentBody);

	- name: Create, or Update the Diff Comment
	uses: peter-evans/create-or-update-comment@v4
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-id: ${{ steps.find_diff_comment.outputs.comment-id }}
	body: ${{ steps.create_diff_body.outputs.comment_body }}
	edit-mode: replace

	- name: Create, or Update the Approval Comment
	uses: peter-evans/create-or-update-comment@v4
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-id: ${{ steps.find_approval_comment.outputs.comment-id }}
	body: ${{ steps.create_approval_body.outputs.comment_body }}
	edit-mode: replace

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Change GITHUB_TOKEN to PRIVACY_CONFIG_PAT #4224

Workflow file

Change GITHUB_TOKEN to PRIVACY_CONFIG_PAT #4224

Uh oh!

Jobs

Run details

Workflow file for this run