CI/CD Bot should not be able to approve a code review

CI/CD Bots should not be able to review code changes. If the setting is enabled then users can "self-review" by manipulating the pipeline. This means that only one developer’s account needs to be compromised in order to push code in branches that require code reviews.

Branch protection best practices involve requiring at least one reviewer to review code changes made by a developer. Self-Reviews are typically not allowed. However, a rather simple bypass is possible if the developer has the ability to access and initiate GitHub Actions.

GitHub introduced a new policy setting that controls whether GitHub Actions can approve pull requests. This protects against a user using Actions to satisfy the "Required approvals" branch protection requirement and merging a change that was not reviewed by another user.

Ensure that the new security policy setting Allow GitHub Actions reviews to count towards required approval is disabled.

To disable it, go to your Organization settings > Actions > General > Allow GitHub Actions reviews to count towards required approval and unmark the checkbox.