fix: disable auto-merge instead of failing CI for Renovate PRs with plan changes (#3575)

* fix: disable auto-merge instead of failing CI for Renovate PRs with plan changes

Replace validateRenovateChange() (which fails CI) with
disableAutoMergeForRenovateChange() (which disables auto-merge on the PR
via GraphQL). CI no longer fails, and the renovate-change label is
deprecated. Add accept_change_by_renovate setting to tfaction.yaml
per-target config to opt out of auto-merge disabling.

Ref: #3571

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: use .default(false) for accept_change_by_renovate in Zod schema

Make the default explicit at the schema level, removing the need for
manual ?? false fallback in get-target-config. Widen getJobConfig's
parameter type to accept both TargetConfig and TargetGroup.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* test: fix test

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: suzuki-shunsuke

install/github-comment.yaml

@@ -92,12 +92,12 @@ post:
 
   renovate-plan-change:
     template: |
-      ## :x: {{if .Vars.tfaction_target}}{{.Vars.tfaction_target}}: {{end}}Renovate's PR must be `No change`
+      ## :warning: {{if .Vars.tfaction_target}}{{.Vars.tfaction_target}}: {{end}}Auto-merge was disabled because `terraform plan` has changes
 
       {{template "link" .}}
 
-      In the pull request created by Renovate, the result of `terraform plan` must be `No change` to enable automerge safely.
-      If you allow changes, please set the pull request label `renovate-change` and rerun CI.
+      In the pull request created by Renovate, `terraform plan` detected changes. Auto-merge has been disabled for safety.
+      Please review the plan and merge the pull request manually if the changes are expected.
 
 exec:
   default:

renovate.json5

@@ -6,5 +6,4 @@
     "github>aquaproj/aqua-renovate-config#2.10.0",
     "github>aquaproj/aqua-renovate-config:file#2.10.0(aqua/.*\\.yaml)",
   ],
-  addLabels: ["renovate-change"],
 }

src/actions/get-target-config/index.test.ts

@@ -22,6 +22,7 @@ test("default", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", false],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", false],
       ["terraform_command", "terraform"],
     ]),
@@ -71,6 +72,7 @@ test("config", async () => {
       ["terraform_command", "tofu"],
       ["aws_role_session_name", "test"],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["enable_terraform_docs", false],
     ]),
   };
@@ -170,6 +172,7 @@ test("tfmigrate plan", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", false],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", false],
       ["terraform_command", "terraform"],
       ["aws_assume_role_arn", "arn:aws:iam::123:role/tfmigrate-plan"],
@@ -222,6 +225,7 @@ test("tfmigrate apply", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", false],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", false],
       ["terraform_command", "terraform"],
       ["aws_assume_role_arn", "arn:aws:iam::123:role/tfmigrate-apply"],
@@ -274,6 +278,7 @@ test("terraform apply", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", false],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", false],
       ["terraform_command", "terraform"],
       ["aws_assume_role_arn", "arn:aws:iam::123:role/terraform-apply"],
@@ -325,6 +330,7 @@ test("explicit aws_role_session_name overrides auto-generation", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", false],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", false],
       ["terraform_command", "terraform"],
       ["aws_role_session_name", "custom-session-name"],
@@ -374,6 +380,7 @@ test("terraform_docs enabled in root config", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", true],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", false],
       ["terraform_command", "terraform"],
       ["aws_role_session_name", "tfaction-plan-tests_aws_foo_dev-" + runID],
@@ -427,6 +434,7 @@ test("environment variables from targetGroup", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", false],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", false],
       ["terraform_command", "terraform"],
       ["aws_role_session_name", "tfaction-plan-tests_aws_foo_dev-" + runID],
@@ -480,6 +488,7 @@ test("environment variables from root config", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", false],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", false],
       ["terraform_command", "terraform"],
       ["aws_role_session_name", "tfaction-plan-tests_aws_foo_dev-" + runID],
@@ -546,6 +555,7 @@ test("gcp configuration", async () => {
         "projects/456/locations/global/workloadIdentityPools/pool/providers/provider",
       ],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["enable_terraform_docs", false],
     ]),
   };
@@ -599,6 +609,7 @@ test("gcp_access_token_scopes", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", false],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", false],
       ["terraform_command", "terraform"],
       ["aws_role_session_name", "tfaction-plan-tests_aws_foo_dev-" + runID],
@@ -652,6 +663,7 @@ test("s3_bucket_name_tfmigrate_history", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", false],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", false],
       ["terraform_command", "terraform"],
       ["aws_role_session_name", "tfaction-plan-tests_aws_foo_dev-" + runID],
@@ -702,6 +714,7 @@ test("gcs_bucket_name_tfmigrate_history", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", false],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", false],
       ["terraform_command", "terraform"],
       ["aws_role_session_name", "tfaction-plan-tests_aws_foo_dev-" + runID],
@@ -749,6 +762,7 @@ test("providers_lock_opts override", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", false],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", false],
       ["terraform_command", "terraform"],
       ["aws_role_session_name", "tfaction-plan-tests_aws_foo_dev-" + runID],
@@ -848,6 +862,7 @@ test("only workingDir provided - target derived from workingDir", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", false],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", false],
       ["terraform_command", "terraform"],
       ["aws_role_session_name", "tfaction-plan-tests_aws_foo_dev-" + runID],
@@ -896,6 +911,7 @@ test("tflint_fix enabled in root config", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", false],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", true],
       ["terraform_command", "terraform"],
       ["aws_role_session_name", "tfaction-plan-tests_aws_foo_dev-" + runID],
@@ -950,6 +966,7 @@ test("target group env overrides root env", async () => {
       ["enable_trivy", true],
       ["enable_terraform_docs", false],
       ["destroy", false],
+      ["accept_change_by_renovate", false],
       ["tflint_fix", false],
       ["terraform_command", "terraform"],
       ["aws_role_session_name", "tfaction-plan-tests_aws_foo_dev-" + runID],

src/actions/get-target-config/index.ts

@@ -42,6 +42,7 @@ export interface TargetConfig {
   // Only for non-scaffold_working_dir job types
   destroy?: boolean;
   enable_terraform_docs?: boolean;
+  accept_change_by_renovate?: boolean;
 
   // Additional envs from config (dynamic)
   env?: Record<string, string>;
@@ -190,6 +191,7 @@ export const getTargetConfig = async (
     }
 
     result.destroy = wdConfig.destroy ? true : false;
+    result.accept_change_by_renovate = wdConfig.accept_change_by_renovate;
     result.enable_terraform_docs =
       wdConfig?.terraform_docs?.enabled ??
       config?.terraform_docs?.enabled ??

src/actions/plan/run.test.ts

@@ -2,9 +2,11 @@ import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
 import * as fs from "fs";
 import * as path from "path";
 import * as core from "@actions/core";
+import * as github from "@actions/github";
 import {
   runTerraformPlan,
   runTfmigratePlan,
+  disableAutoMergeForRenovateChange,
   main,
   type RunInputs,
 } from "./run";
@@ -20,6 +22,10 @@ vi.mock("@actions/core", () => ({
   info: vi.fn(),
 }));
 
+vi.mock("@actions/github", () => ({
+  getOctokit: vi.fn(),
+}));
+
 vi.mock("@actions/artifact", () => ({
   DefaultArtifactClient: class MockArtifactClient {
     uploadArtifact = vi.fn().mockResolvedValue({});
@@ -78,6 +84,12 @@ const createMockExecutor = () => ({
 
 type MockExecutor = ReturnType<typeof createMockExecutor>;
 
+// Helper to create a mock octokit with graphql
+const createMockOctokit = () => ({
+  graphql: vi.fn().mockResolvedValue({}),
+  rest: {},
+});
+
 // Base inputs for tests
 const createBaseInputs = (executor: MockExecutor) => ({
   githubToken: "test-token",
@@ -86,6 +98,7 @@ const createBaseInputs = (executor: MockExecutor) => ({
   destroy: false,
   tfCommand: "terraform",
   target: "aws/test/dev",
+  acceptChangeByRenovate: false,
   executor: executor as unknown as aqua.Executor,
 });
 
@@ -248,9 +261,18 @@ describe("runTerraformPlan", () => {
     );
   });
 
-  it("validates renovate change when PR author is renovate and no renovate-change label", async () => {
+  it("disables auto-merge when renovate PR has changes and auto_merge is enabled", async () => {
+    const mockOctokit = createMockOctokit();
+    vi.mocked(github.getOctokit).mockReturnValue(
+      mockOctokit as unknown as ReturnType<typeof github.getOctokit>,
+    );
     vi.mocked(fs.existsSync).mockReturnValue(true);
-    vi.mocked(fs.readFileSync).mockReturnValue("label1\nlabel2\n");
+    vi.mocked(fs.readFileSync).mockReturnValue(
+      JSON.stringify({
+        node_id: "PR_123",
+        auto_merge: { merge_method: "squash" },
+      }),
+    );
 
     mockExecutor.getExecOutput
       .mockResolvedValueOnce({
@@ -271,8 +293,11 @@ describe("runTerraformPlan", () => {
       ciInfoTempDir: "/tmp/ci-info",
     };
 
-    await expect(runTerraformPlan(inputs)).rejects.toThrow(
-      "Renovate PR must have 'No change' or 'renovate-change' label",
+    const result = await runTerraformPlan(inputs);
+    expect(result.detailedExitcode).toBe(2);
+    expect(mockOctokit.graphql).toHaveBeenCalledWith(
+      expect.stringContaining("disablePullRequestAutoMerge"),
+      { nodeId: "PR_123" },
     );
     expect(mockExecutor.exec).toHaveBeenCalledWith(
       "github-comment",
@@ -281,10 +306,13 @@ describe("runTerraformPlan", () => {
     );
   });
 
-  it("skips renovate validation when renovate-change label exists", async () => {
+  it("skips disabling auto-merge when auto_merge is not enabled", async () => {
     vi.mocked(fs.existsSync).mockReturnValue(true);
     vi.mocked(fs.readFileSync).mockReturnValue(
-      "label1\nrenovate-change\nlabel2\n",
+      JSON.stringify({
+        node_id: "PR_123",
+        auto_merge: null,
+      }),
     );
 
     mockExecutor.getExecOutput
@@ -307,9 +335,10 @@ describe("runTerraformPlan", () => {
 
     const result = await runTerraformPlan(inputs);
     expect(result.detailedExitcode).toBe(2);
+    expect(mockExecutor.exec).not.toHaveBeenCalled();
   });
 
-  it("skips renovate validation when PR author is not renovate", async () => {
+  it("skips renovate check when PR author is not renovate", async () => {
     mockExecutor.getExecOutput
       .mockResolvedValueOnce({
         exitCode: 2,
@@ -383,6 +412,47 @@ describe("runTerraformPlan", () => {
   });
 });
 
+describe("disableAutoMergeForRenovateChange", () => {
+  let mockExecutor: MockExecutor;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockExecutor = createMockExecutor();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it("skips when pr.json not found", async () => {
+    vi.mocked(fs.existsSync).mockReturnValue(false);
+
+    const inputs = {
+      ...createBaseInputs(mockExecutor),
+      prAuthor: "renovate[bot]",
+      ciInfoTempDir: "/tmp/ci-info",
+    };
+
+    await disableAutoMergeForRenovateChange(inputs);
+    expect(core.warning).toHaveBeenCalledWith(
+      "PR JSON file not found: /tmp/ci-info/pr.json",
+    );
+    expect(mockExecutor.exec).not.toHaveBeenCalled();
+  });
+
+  it("skips when acceptChangeByRenovate is true", async () => {
+    const inputs = {
+      ...createBaseInputs(mockExecutor),
+      prAuthor: "renovate[bot]",
+      ciInfoTempDir: "/tmp/ci-info",
+      acceptChangeByRenovate: true,
+    };
+
+    await disableAutoMergeForRenovateChange(inputs);
+    expect(mockExecutor.exec).not.toHaveBeenCalled();
+  });
+});
+
 describe("runTfmigratePlan", () => {
   let mockExecutor: MockExecutor;
   let tempDir: string;