From cede9322dca709cf9dd5e0b5ab035a5bc2a214b3 Mon Sep 17 00:00:00 2001
From: Hugh Hackman <hugh@privilegedescalation.github.com>
Date: Sun, 22 Mar 2026 05:10:29 +0000
Subject: [PATCH] fix(ci): match [bot] suffix in dual-approval-check reviewer
 usernames

GitHub App reviews are submitted as `privilegedescalation-cto[bot]`
and `privilegedescalation-qa[bot]`, not the bare usernames used in the
workflow defaults. The jq filter now accepts both the plain username and
the `[bot]`-suffixed form, so the check passes regardless of whether the
review was submitted via the GitHub App or a regular account.

Fixes: https://github.com/privilegedescalation/.github/issues/51

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/dual-approval-check.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/dual-approval-check.yaml b/.github/workflows/dual-approval-check.yaml
index 1c88029..6ff3ce9 100644
--- a/.github/workflows/dual-approval-check.yaml
+++ b/.github/workflows/dual-approval-check.yaml
@@ -59,10 +59,10 @@ jobs:
             "https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
 
           CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \
-            '[.[] | select(.user.login == $user)] | last | .state == "APPROVED"')
+            '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
 
           QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \
-            '[.[] | select(.user.login == $user)] | last | .state == "APPROVED"')
+            '[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
 
           echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}"
           echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}"