privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ci): check last review state per user in dual-approval workflow

Browse Source 
Previously the jq logic checked if *any* review from CTO/QA had
state == APPROVED. This allowed a PR to pass dual-approval even if
the reviewer subsequently requested changes — because the earlier
approval was still in the review history.

Fix: filter reviews by user, take the last one, and check its state.
This ensures a CHANGES_REQUESTED review after an approval correctly
blocks the check.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Hugh Hackman
2026-03-22 00:11:01 +00:00
parent fbb4dfcfc3
commit 1c5eb52490
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/dual-approval-check.yaml
+2 -2
View File
@@ -56,10 +56,10 @@ jobs:
REVIEWS=$(gh api "repos/${REPO}/pulls/${PR_NUMBER}/reviews" 2>&1)
CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \
'[.[] | select(.user.login == $user and .state == "APPROVED")] | length > 0')
'[.[] | select(.user.login == $user)] | last | .state == "APPROVED"')
QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \
'[.[] | select(.user.login == $user and .state == "APPROVED")] | length > 0')
'[.[] | select(.user.login == $user)] | last | .state == "APPROVED"')
echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}"
echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}"