From 950af300bfd969faf32a8f3e43a5497f38008f02 Mon Sep 17 00:00:00 2001 From: Hugh Hackman Date: Sun, 22 Mar 2026 04:45:20 +0000 Subject: [PATCH 1/2] fix: replace gh api with curl in dual-approval-check workflow The gh CLI is not installed on the self-hosted ARC runners (runners-privilegedescalation). Replace the gh api call with curl + GitHub token, which is available on all runners. Fixes: https://github.com/privilegedescalation/.github/issues/50 Unblocks: headlamp-polaris-plugin PR #98 and v1.0.0 release pipeline --- .github/workflows/dual-approval-check.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dual-approval-check.yaml b/.github/workflows/dual-approval-check.yaml index 324ce4a..1c88029 100644 --- a/.github/workflows/dual-approval-check.yaml +++ b/.github/workflows/dual-approval-check.yaml @@ -53,7 +53,10 @@ jobs: echo "Checking approvals on PR #${PR_NUMBER} in ${REPO}" - REVIEWS=$(gh api "repos/${REPO}/pulls/${PR_NUMBER}/reviews" 2>&1) + REVIEWS=$(curl -sf \ + -H "Authorization: Bearer ${GH_TOKEN}" \ + -H "Accept: application/vnd.github.v3+json" \ + "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews") CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \ '[.[] | select(.user.login == $user)] | last | .state == "APPROVED"') From cede9322dca709cf9dd5e0b5ab035a5bc2a214b3 Mon Sep 17 00:00:00 2001 From: Hugh Hackman Date: Sun, 22 Mar 2026 05:10:29 +0000 Subject: [PATCH 2/2] fix(ci): match [bot] suffix in dual-approval-check reviewer usernames GitHub App reviews are submitted as `privilegedescalation-cto[bot]` and `privilegedescalation-qa[bot]`, not the bare usernames used in the workflow defaults. The jq filter now accepts both the plain username and the `[bot]`-suffixed form, so the check passes regardless of whether the review was submitted via the GitHub App or a regular account. Fixes: https://github.com/privilegedescalation/.github/issues/51 Co-Authored-By: Paperclip --- .github/workflows/dual-approval-check.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/dual-approval-check.yaml b/.github/workflows/dual-approval-check.yaml index 1c88029..6ff3ce9 100644 --- a/.github/workflows/dual-approval-check.yaml +++ b/.github/workflows/dual-approval-check.yaml @@ -59,10 +59,10 @@ jobs: "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews") CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \ - '[.[] | select(.user.login == $user)] | last | .state == "APPROVED"') + '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"') QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \ - '[.[] | select(.user.login == $user)] | last | .state == "APPROVED"') + '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"') echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}" echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}"