Previously the jq logic checked if *any* review from CTO/QA had
state == APPROVED. This allowed a PR to pass dual-approval even if
the reviewer subsequently requested changes — because the earlier
approval was still in the review history.
Fix: filter reviews by user, take the last one, and check its state.
This ensures a CHANGES_REQUESTED review after an approval correctly
blocks the check.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds a shared reusable workflow that plugin repos can call to enforce
the dual CTO+QA approval policy as a GitHub required status check.
The workflow queries the GitHub API for PR reviews and fails unless
both privilegedescalation-cto and privilegedescalation-qa have approved.
Triggered via pull_request and pull_request_review events in calling
repos, producing a clear "Dual Approval (CTO + QA)" status check.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Hugh Hackman