From 07c4b881f3ccd5dd657d34b665496080f8ae3552 Mon Sep 17 00:00:00 2001 From: "privilegedescalation-engineer[bot]" <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com> Date: Wed, 15 Apr 2026 01:56:18 +0000 Subject: [PATCH] ci-health-check: detect action_required (GitHub App PR approval blocked) (#85) Detects when workflow runs conclude with action_required, which indicates GitHub's 'Require approval for first-time contributors' setting is blocking workflow runs from the privilegedescalation-engineer[bot] GitHub App. This is a CI pipeline blocker that prevents bot-authored PRs from advancing through the review pipeline. See PRI-44 for the full investigation. Co-authored-by: Hugh Hackman --- .github/scripts/ci-health-check.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/scripts/ci-health-check.sh b/.github/scripts/ci-health-check.sh index c36dddd..cfa99a1 100755 --- a/.github/scripts/ci-health-check.sh +++ b/.github/scripts/ci-health-check.sh @@ -59,6 +59,15 @@ for repo in "${PLUGIN_REPOS[@]}"; do ((warnings++)) || true fi + # Check for action_required — GitHub's "Require approval for first-time contributors" setting + # blocks workflow runs from GitHub App bot accounts. This is a CI pipeline blocker (see PRI-44). + action_required_count=$(echo "$runs" | jq '[.[] | select(.conclusion=="action_required")] | length') + if [ "$action_required_count" -gt 0 ]; then + echo " FAIL: ${action_required_count} workflow run(s) with action_required (GitHub App PR approval blocked):" + echo "$runs" | jq -r '.[] | select(.conclusion=="action_required") | " - \(.name) on \(.headBranch) (\(.updatedAt))"' + ((failures++)) || true + fi + # Check latest release latest_release=$(gh api "repos/${ORG}/${repo}/releases" --jq '.[0].tag_name // "none"' 2>/dev/null || echo "error") echo " Latest release: ${latest_release}"