This guide documents the setup for a bot account that automatically approves pull requests created by your main developer account. This solves the GitHub branch protection requirement of needing at least one approval when you're the only human developer.
Use case: Solo developer + Copilot AI agent, where branch protection requires ≥1 approval before merging.
Your Main Account
↓ (creates PR)
Pull Request
↓ (GitHub Actions workflow triggered)
Bot Account
↓ (approves via GitHub API)
PR Status: Approved ✅
↓ (if auto-merge enabled)
Main Branch Updated
-
Create a new GitHub account separate from your main account
- Use a dedicated email address (e.g.,
yourname+bot@emailprovider.com) - Name it descriptively:
username-bot,automation-bot, orcopilot-reviewer - Important: Use a personal account, not a team or organization account
- Use a dedicated email address (e.g.,
-
Verify the bot account email
-
The bot account does not need any repositories or profile setup
- Sign in to your main account
- Go to your repository on GitHub
- Click Settings → Collaborators (or Access → Collaborators)
- Click Add people
- Search for the bot account username
- Select role: Write (allows approving PRs and merging)
- Click Add
The bot account will receive an email invitation.
- Sign in to the bot account
- Check the email for a GitHub repository invitation
- Click the invitation link or visit https://github.com/notifications/invitations
- Click Accept to join the repository
Verification: After the bot accepts, the bot should appear as a collaborator in your repo settings with "Write" role.
Sign in as the bot account, then:
- Go to Settings → Developer settings → Personal access tokens → Tokens (classic)
- Click Generate new token (classic)
- Configure the token:
- Token name:
PR Approver Token(or descriptive name) - Expiration:
90 days(or as per your security policy) - Scopes: Select only
repo(full control of private repositories)
- Token name:
- Click Generate token
- Copy the token immediately — GitHub will not show it again
Security: Store this token securely. Never commit it to version control.
Sign in to your main account, then:
- Go to your repository
- Click Settings → Secrets and variables → Actions
- Click New repository secret
- Configure:
- Name: Choose a descriptive name (e.g.,
BOT_APPROVAL_TOKEN,BOT_PAT) - Value: Paste the token from Step 3
- Name: Choose a descriptive name (e.g.,
- Click Add secret
Note: The secret name will be referenced in your GitHub Actions workflow. Do not share this secret name publicly.
Create a new file in your repository:
Path: .github/workflows/auto-approve-pr.yml
Content:
name: Auto-Approve PR
on:
pull_request:
types: [opened, synchronize]
jobs:
approve:
runs-on: ubuntu-latest
# Only auto-approve PRs created by YOUR main account
# Replace 'your-main-username' with your actual GitHub username
if: github.actor == 'your-main-username'
steps:
- name: Approve Pull Request
uses: actions/github-script@v6
with:
# Use the secret name you created in Step 4
github-token: ${{ secrets.BOT_APPROVAL_TOKEN }}
script: |
github.rest.pulls.createReview({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
event: 'APPROVE',
body: 'Auto-approved by bot after author review. ✅'
})- Trigger: Runs when a PR is opened or updated (
opened,synchronize) - Condition: Only runs if the PR creator (
github.actor) is your main account - Action: Uses the bot's authentication token to approve the PR via GitHub API
- Comment: Leaves an automated message in the PR
Replace these placeholders:
your-main-username→ Your GitHub usernameBOT_APPROVAL_TOKEN→ The secret name you chose in Step 4
To automatically merge PRs after bot approval (requires all status checks to pass):
- Go to Settings → Pull Requests
- Enable Allow auto-merge
- Optionally select default merge method (Squash, Merge, or Rebase)
Add this step to .github/workflows/auto-approve-pr.yml to enable auto-merge programmatically:
- name: Enable Auto-Merge
uses: actions/github-script@v6
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
github.rest.pulls.enableAutomerge({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
merge_method: 'squash'
})To enforce the approval requirement:
- Go to Settings → Branches
- Click Add rule (or edit existing protection for main/master branch)
- Branch name pattern:
main(or your default branch) - Enable these protections:
- ✅ Require a pull request before merging
- ✅ Require approvals: Set to
1required approval - ✅ Require status checks to pass (if you have tests/linting)
- ✅ Require conversation resolution
- ✅ Allow auto-merge (optional, for automatic merging)
With the bot as a collaborator and the auto-approval workflow, the approval requirement is now satisfied automatically.
# 1. Create feature branch
git checkout -b feature/my-feature
git commit -m "Add feature X"
git push -u origin feature/my-feature
# 2. Create PR (via GitHub UI or CLI)
# GitHub UI: Click "Compare & pull request"
# OR via CLI:
gh pr create --title "Add feature X" --body "Description of changes"
# 3. Automatic steps:
# - GitHub Actions workflow triggers
# - Bot account approves the PR
# - (Optional) PR auto-merges if status checks pass
# 4. Result: Changes merged to main branch- Push feature branch and create PR
- Review PR changes in GitHub UI (check diffs, comments, test results)
- Workflow auto-approves PR
- Click Merge pull request button
- Main branch is updated
- ✅ Approval condition: Workflow only approves PRs created by your main account (prevents unauthorized approvals)
- ✅ Token storage: Store bot's PAT in GitHub Actions secrets (never in code or environment variables)
- ✅ Token scope: Bot token uses minimal scope (
repoonly) - ✅ Role restriction: Bot has "Write" access (can approve/merge, not admin)
- Expiration: Token expires after the configured period (e.g., 90 days)
- Rotation: Regenerate and update the GitHub Actions secret when token expires
- Exposure: If token is compromised, regenerate immediately and update the secret
- Approve PRs created by other users (blocked by
if: github.actor == 'your-main-username'condition) - Make code changes or push to branches
- Modify repository settings
- Delete repository
- Create a test feature branch with a small change
- Push and create a PR
- Observe the GitHub Actions workflow:
- Go to PR → Checks tab
- Look for the "Auto-Approve PR" workflow
- It should show status: ✅ Passed
- Verify bot account appears as "Approved" in the PR review section
- Confirm PR can now be merged (if branch protection allows)
- Check that the PR creator (
github.actor) matchesyour-main-usernamein the workflow condition - Verify the workflow file is in
.github/workflows/directory - Check Actions tab in your repo for workflow run history and logs
- Verify bot account is added as a collaborator with "Write" role
- Confirm the secret exists in repository Settings → Secrets and variables
- Check that secret name in workflow matches the actual secret name you created
- Review workflow logs in Actions tab to see error messages
- Verify bot account PAT token hasn't expired
- Confirm bot account email is verified on GitHub
- Go to your repository
- Click Actions tab
- Click the workflow run name (e.g., "Auto-Approve PR")
- Click the job name (e.g., "approve")
- Expand steps to see detailed logs
If the bot account approach doesn't work for your use case:
- Remove the approval requirement from branch protection
- Keep other protections: status checks, conversation resolution, linear history
- Trade-off: No gatekeeping for PRs, but faster workflow for solo development
- GitHub Rulesets provide more granular control than branch protection rules
- Allows excluding specific users/apps from certain requirements
- Better for complex scenarios with multiple permission levels