From 78e71172e621e77151b21c104821a5523dcb9248 Mon Sep 17 00:00:00 2001
From: Sean Dempsey <dempsey.sean@outlook.com>
Date: Mon, 25 May 2026 20:00:31 -0700
Subject: [PATCH 1/3] auto-approve diff deployments for trusted actors

---
 .github/workflows/preapprove-deployments.yaml | 29 +++++++++++++++++++
 .github/workflows/privileged-verify.yaml      |  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 .github/workflows/preapprove-deployments.yaml

diff --git a/.github/workflows/preapprove-deployments.yaml b/.github/workflows/preapprove-deployments.yaml
new file mode 100644
index 0000000..9a8c7c2
--- /dev/null
+++ b/.github/workflows/preapprove-deployments.yaml
@@ -0,0 +1,29 @@
+name: Pre-approve
+on: deployment_status
+
+permissions:
+  actions: read
+  deployments: write
+
+jobs:
+  approve:
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.deployment_status.state == 'waiting' &&
+      github.event.deployment.environment == 'Test' &&
+      github.event.workflow_run.name == 'Privileged Verify' &&
+      (github.actor == 'dependabot[bot]' || github.actor == github.repository_owner)
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Get environment id
+        id: env-id
+        run: echo "env-id=$(gh api repos/${{ github.repository }}/environments/Test --jq .id)" >> $GITHUB_OUTPUT
+      - name: Approve
+        env:
+          RUN_ID: ${{ github.event.workflow_run.id }}
+          ENV_ID: ${{ steps.env-id.outputs.env-id }}
+        run: |-
+          gh api --method POST \
+            repos/${{ github.repository }}/actions/runs/${RUN_ID}/pending_deployments \
+            --input '{"environment_ids": [${ENV_ID}], "state": "approved", "comment": "Auto-approved trusted actor by workflow"}'
diff --git a/.github/workflows/privileged-verify.yaml b/.github/workflows/privileged-verify.yaml
index 7239334..a09e307 100644
--- a/.github/workflows/privileged-verify.yaml
+++ b/.github/workflows/privileged-verify.yaml
@@ -14,6 +14,7 @@ permissions:
 concurrency:
   group: privileged-verify
   cancel-in-progress: false
+  queue: max
 
 jobs:
   diff:

From d674ec48253f33a7b5087953d29700015fbfaeb4 Mon Sep 17 00:00:00 2001
From: Sean Dempsey <dempsey.sean@outlook.com>
Date: Mon, 25 May 2026 20:05:36 -0700
Subject: [PATCH 2/3] Specify body fields with -F

---
 .github/workflows/preapprove-deployments.yaml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/preapprove-deployments.yaml b/.github/workflows/preapprove-deployments.yaml
index 9a8c7c2..5ded410 100644
--- a/.github/workflows/preapprove-deployments.yaml
+++ b/.github/workflows/preapprove-deployments.yaml
@@ -22,8 +22,9 @@ jobs:
       - name: Approve
         env:
           RUN_ID: ${{ github.event.workflow_run.id }}
-          ENV_ID: ${{ steps.env-id.outputs.env-id }}
         run: |-
           gh api --method POST \
             repos/${{ github.repository }}/actions/runs/${RUN_ID}/pending_deployments \
-            --input '{"environment_ids": [${ENV_ID}], "state": "approved", "comment": "Auto-approved trusted actor by workflow"}'
+            -F 'environment_ids[]=${{ steps.env-id.outputs.env-id }}' \
+            -F 'state=approved' \
+            -F 'comment=Auto-approved trusted actor by workflow'

From f407cbd7406373fd15e8398f2954a8ff4bdd8338 Mon Sep 17 00:00:00 2001
From: Sean Dempsey <dempsey.sean@outlook.com>
Date: Mon, 25 May 2026 20:14:53 -0700
Subject: [PATCH 3/3] remove preapproval because it needs a PAT :(

---
 .github/workflows/preapprove-deployments.yaml | 30 -------------------
 1 file changed, 30 deletions(-)
 delete mode 100644 .github/workflows/preapprove-deployments.yaml

diff --git a/.github/workflows/preapprove-deployments.yaml b/.github/workflows/preapprove-deployments.yaml
deleted file mode 100644
index 5ded410..0000000
--- a/.github/workflows/preapprove-deployments.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-name: Pre-approve
-on: deployment_status
-
-permissions:
-  actions: read
-  deployments: write
-
-jobs:
-  approve:
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.deployment_status.state == 'waiting' &&
-      github.event.deployment.environment == 'Test' &&
-      github.event.workflow_run.name == 'Privileged Verify' &&
-      (github.actor == 'dependabot[bot]' || github.actor == github.repository_owner)
-    env:
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    steps:
-      - name: Get environment id
-        id: env-id
-        run: echo "env-id=$(gh api repos/${{ github.repository }}/environments/Test --jq .id)" >> $GITHUB_OUTPUT
-      - name: Approve
-        env:
-          RUN_ID: ${{ github.event.workflow_run.id }}
-        run: |-
-          gh api --method POST \
-            repos/${{ github.repository }}/actions/runs/${RUN_ID}/pending_deployments \
-            -F 'environment_ids[]=${{ steps.env-id.outputs.env-id }}' \
-            -F 'state=approved' \
-            -F 'comment=Auto-approved trusted actor by workflow'