headlamp-polaris-plugin/.github/workflows/dual-approval.yaml at 5e6cd6603b168f01325834d5d2e9250501b60721

privilegedescalation/headlamp-polaris-plugin

Fork 0

Files

T

Chris Farhood d7cbe969fb

CI / ci (push) Successful in 42s

Details

CI / ci (pull_request) Successful in 38s

Details

fix(dual-approval): remove container: ubuntu:latest and Install dependencies step

The ubuntu-latest runner host already has curl, jq, and ca-certificates
pre-installed. The apt-get update call inside the Docker container was
failing due to broken container networking on the runner host (runs 577,
578), blocking PR #182 (dev→uat promotion).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-05-20 23:56:41 +00:00

112 lines

4.3 KiB

YAML

Raw Blame History

 name: Promotion Gate
 # dev PRs: no gate (engineer self-merges).
 # uat PRs: QA approval required.
 # main PRs: UAT approval required (uat→main promotions).
 on:
   pull_request_review:
     types: [submitted, dismissed]
   pull_request:
     branches: [uat, main]
     types: [opened, reopened, synchronize]
 jobs:
   promotion-gate:
     name: Promotion Gate
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
       - name: Check promotion approval
         env:
           GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           REPO: ${{ github.repository }}
           BASE_REF: ${{ github.base_ref }}
         run: |
           if [ -z "${PR_NUMBER}" ] || [ "${PR_NUMBER}" = "null" ]; then
             echo "::notice::No PR number in context. Skipping promotion gate."
             exit 0
           fi
           echo "Checking promotion gate for PR #${PR_NUMBER} targeting ${BASE_REF} in ${REPO}"
           if [ -z "${BASE_REF}" ] && [ -n "${PR_NUMBER}" ] && [ "${PR_NUMBER}" != "null" ]; then
             BASE_REF=$(curl -sf \
               -H "Authorization: token ${GITEA_TOKEN}" \
               -H "Accept: application/json" \
               "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.base.ref')
             echo "BASE_REF was empty; resolved from PR #${PR_NUMBER} API: ${BASE_REF}"
           fi
           # Determine required reviewer based on target branch
           case "${BASE_REF}" in
             dev)
               echo "Target is dev — no review required. Engineers self-merge."
               exit 0
               ;;
             uat)
               REQUIRED_REVIEWER="pe_regina"
               GATE_NAME="QA"
               ;;
             main)
               REQUIRED_REVIEWER="pe_regina"
               GATE_NAME="QA"
               # For plugin repos (Pipeline A), UAT approval is needed for uat→main
               # Check if the source branch is uat
               SOURCE_REF=$(curl -sf \
                 -H "Authorization: token ${GITEA_TOKEN}" \
                 -H "Accept: application/json" \
                 "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}" | jq -r '.head.ref')
               if [ "${SOURCE_REF}" = "uat" ]; then
                 REQUIRED_REVIEWER="pe_patty"
                 GATE_NAME="UAT"
               fi
               ;;
             *)
               echo "::notice::Target branch '${BASE_REF}' has no promotion gate configured."
               exit 0
               ;;
           esac
           echo "Required reviewer: ${REQUIRED_REVIEWER} (${GATE_NAME})"
           # For uat→main promotions, pe_patty may not be able to review (bot account).
           # Accept pe_nancy (CTO) as a valid alternative reviewer.
           ALT_REVIEWER=""
           if [ "${REQUIRED_REVIEWER}" = "pe_patty" ]; then
             ALT_REVIEWER="pe_nancy"
           fi
           REVIEWS=$(curl -sf \
             -H "Authorization: token ${GITEA_TOKEN}" \
             -H "Accept: application/json" \
             "https://git.farh.net/api/v1/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
           if [ -z "${REVIEWS}" ] || [ "${REVIEWS}" = "null" ]; then
             echo "::warning::Could not fetch reviews for PR #${PR_NUMBER}."
             exit 1
           fi
           REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${REQUIRED_REVIEWER}" \
             '[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
           echo "${GATE_NAME} (${REQUIRED_REVIEWER}) approved: ${REVIEWER_APPROVED}"
           # Fallback: check if CTO approved as alternative for uat→main
           if [ "${REVIEWER_APPROVED}" != "true" ] && [ -n "${ALT_REVIEWER}" ]; then
             REVIEWER_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${ALT_REVIEWER}" \
               '[.[] | select(.user.login == $user)] | last | if .state then .state == "APPROVED" else false end')
             if [ "${REVIEWER_APPROVED}" = "true" ]; then
               echo "CTO (${ALT_REVIEWER}) approved as fallback for UAT gate."
             fi
           fi
           if [ "${REVIEWER_APPROVED}" = "true" ]; then
             echo "Promotion gate passed: ${GATE_NAME} has approved."
           else
             echo "Promotion gate failed: waiting for ${GATE_NAME} approval from ${REQUIRED_REVIEWER}."
             exit 1
           fi

112 lines 4.3 KiB YAML Raw Blame History

112 lines

4.3 KiB

YAML

Raw Blame History