From d504cdc9d0aae87b43863d0422924d528d76a530 Mon Sep 17 00:00:00 2001
From: Marcel van der Veldt <m.vanderveldt@outlook.com>
Date: Tue, 21 Oct 2025 23:38:59 +0200
Subject: [PATCH] Optimize release workflow

---
 .github/release-drafter.yml                   |  9 +++++
 .../auto-merge-dependency-updates.yml         | 40 +++++++++++--------
 2 files changed, 33 insertions(+), 16 deletions(-)

diff --git a/.github/release-drafter.yml b/.github/release-drafter.yml
index 69ba6fc4..05b70c02 100644
--- a/.github/release-drafter.yml
+++ b/.github/release-drafter.yml
@@ -2,6 +2,15 @@ change-template: '- $TITLE (by @$AUTHOR in #$NUMBER)'
 prerelease: true
 prerelease-identifier: 'b'
 include-pre-releases: true
+
+# Exclude bots from contributors list
+exclude-contributors:
+  - dependabot
+  - dependabot[bot]
+  - github-actions
+  - github-actions[bot]
+  - music-assistant-machine
+
 categories:
 
   - title: "â  Breaking Changes"
diff --git a/.github/workflows/auto-merge-dependency-updates.yml b/.github/workflows/auto-merge-dependency-updates.yml
index 7ebf0fcf..f189d09b 100644
--- a/.github/workflows/auto-merge-dependency-updates.yml
+++ b/.github/workflows/auto-merge-dependency-updates.yml
@@ -17,25 +17,31 @@ jobs:
   auto-merge:
     name: Auto-approve and merge
     runs-on: ubuntu-latest
-    # Only run if PR is from our automation accounts
+    # Only run if branch name matches the expected pattern
     if: |
-      github.event.pull_request.user.login == 'github-actions[bot]' ||
-      github.event.pull_request.user.login == 'music-assistant-machine'
+      startsWith(github.event.pull_request.head.ref, 'auto-update-frontend-') ||
+      startsWith(github.event.pull_request.head.ref, 'auto-update-models-')
 
     permissions:
       contents: write
       pull-requests: write
 
     steps:
-      # Security check 1: Verify PR is from trusted automation
-      - name: Verify PR is from trusted automation
+      # Security check 1: Verify PR is from user with write access
+      - name: Verify PR is from trusted source
+        id: verify_pr_author
         run: |
           PR_AUTHOR="${{ github.event.pull_request.user.login }}"
-          if [[ "$PR_AUTHOR" != "github-actions[bot]" && "$PR_AUTHOR" != "music-assistant-machine" ]]; then
-            echo "â PR author is not a trusted automation account: $PR_AUTHOR"
+
+          # Check if PR author has write access to the repository (includes org members and bots)
+          if gh api "/repos/${{ github.repository }}/collaborators/$PR_AUTHOR/permission" --jq '.permission' 2>/dev/null | grep -qE "^(admin|write|maintain)$"; then
+            echo "â PR is from user with write access: $PR_AUTHOR"
+          else
+            echo "â PR author does not have write access: $PR_AUTHOR"
             exit 1
           fi
-          echo "â PR is from trusted automation account: $PR_AUTHOR"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       # Security check 2: Verify PR labels and source branch
       - name: Verify PR labels and source
@@ -56,7 +62,7 @@ jobs:
           echo "â PR has 'dependencies' label and valid branch name"
 
       # IMPORTANT: Checkout the PR's head to validate file changes
-      # This is required for the git commands in security check 4
+      # This is required for the git commands in security check 5
       - name: Checkout PR branch
         uses: actions/checkout@v4
         with:
@@ -74,22 +80,24 @@ jobs:
           COMMIT_AUTHOR=$(gh pr view "$PR_NUMBER" --json commits --jq '.commits[0].authors[0].login')
           echo "commit_author=$COMMIT_AUTHOR" >> $GITHUB_OUTPUT
 
-          echo "PR #$PR_NUMBER from $COMMIT_AUTHOR"
+          echo "PR #$PR_NUMBER with commits from $COMMIT_AUTHOR"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      # Security check 4: Verify commit author matches PR author
+      # Security check 4: Verify commit author has write access
       - name: Verify commit author
         run: |
           COMMIT_AUTHOR="${{ steps.pr.outputs.commit_author }}"
-          PR_AUTHOR="${{ github.event.pull_request.user.login }}"
 
-          if [[ "$COMMIT_AUTHOR" != "$PR_AUTHOR" ]]; then
-            echo "â Commit author ($COMMIT_AUTHOR) does not match PR author ($PR_AUTHOR)"
+          # Check if commit author has write access to the repository
+          if gh api "/repos/${{ github.repository }}/collaborators/$COMMIT_AUTHOR/permission" --jq '.permission' 2>/dev/null | grep -qE "^(admin|write|maintain)$"; then
+            echo "â Commit author has write access: $COMMIT_AUTHOR"
+          else
+            echo "â Commit author does not have write access: $COMMIT_AUTHOR"
             exit 1
           fi
-
-          echo "â Commit author matches PR author"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       # Security check 5: Verify only dependency files were changed
       - name: Verify only dependency files were changed
-- 
2.34.1