GitHub App reviews are submitted as `privilegedescalation-cto[bot]`
and `privilegedescalation-qa[bot]`, not the bare usernames used in the
workflow defaults. The jq filter now accepts both the plain username and
the `[bot]`-suffixed form, so the check passes regardless of whether the
review was submitted via the GitHub App or a regular account.
Fixes: https://github.com/privilegedescalation/.github/issues/51
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The gh CLI is not installed on the self-hosted ARC runners
(runners-privilegedescalation). Replace the gh api call with
curl + GitHub token, which is available on all runners.
Fixes: https://github.com/privilegedescalation/.github/issues/50
Unblocks: headlamp-polaris-plugin PR #98 and v1.0.0 release pipeline
Previously the jq logic checked if *any* review from CTO/QA had
state == APPROVED. This allowed a PR to pass dual-approval even if
the reviewer subsequently requested changes — because the earlier
approval was still in the review history.
Fix: filter reviews by user, take the last one, and check its state.
This ensures a CHANGES_REQUESTED review after an approval correctly
blocks the check.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds a shared reusable workflow that plugin repos can call to enforce
the dual CTO+QA approval policy as a GitHub required status check.
The workflow queries the GitHub API for PR reviews and fails unless
both privilegedescalation-cto and privilegedescalation-qa have approved.
Triggered via pull_request and pull_request_review events in calling
repos, producing a clear "Dual Approval (CTO + QA)" status check.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Hugh Hackman