privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ci): match [bot] suffix in dual-approval-check reviewer usernames

Browse Source 
GitHub App reviews are submitted as `privilegedescalation-cto[bot]`
and `privilegedescalation-qa[bot]`, not the bare usernames used in the
workflow defaults. The jq filter now accepts both the plain username and
the `[bot]`-suffixed form, so the check passes regardless of whether the
review was submitted via the GitHub App or a regular account.

Fixes: https://github.com/privilegedescalation/.github/issues/51

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Hugh Hackman
2026-03-22 05:10:29 +00:00
parent 950af300bf
commit cede9322dc
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/dual-approval-check.yaml
+2 -2
View File
@@ -59,10 +59,10 @@ jobs:
"https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \
'[.[] | select(.user.login == $user)] | last | .state == "APPROVED"')
'[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \
'[.[] | select(.user.login == $user)] | last | .state == "APPROVED"')
'[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}"
echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}"