privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3dfe2d265bf628cdc015cbd8cff2e8ea648a8db7
org/.github/workflows/dual-approval-check.yaml
T
Hugh Hackman d0635c4870 fix: make pr_number input optional in dual-approval-check 
PR #81 adds pr_number as a required input, but the 5 calling
plugin repos don't yet pass this input. Change required: true
to required: false so the workflow_call can succeed without it,
while companion PRs are opened to add the input to each caller.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-25 13:04:52 +00:00

86 lines
2.9 KiB
YAML
Raw Blame History

name: Dual Approval Check
# Reusable workflow: verifies that both the CTO and QA bot accounts
# have approved a pull request. Plugin repos call this on
# pull_request_review events to get a required GitHub status check.
#
# Usage in a plugin repo's workflow:
#
# on:
# pull_request_review:
# types: [submitted, dismissed]
# pull_request:
# types: [opened, reopened, synchronize]
#
# jobs:
# dual-approval:
# uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
# secrets: inherit
on:
workflow_call:
inputs:
pr_number:
description: "Pull request number"
required: false
type: number
cto-reviewer:
description: "GitHub username of the CTO reviewer"
required: false
type: string
default: "privilegedescalation-cto"
qa-reviewer:
description: "GitHub username of the QA reviewer"
required: false
type: string
default: "privilegedescalation-qa"
jobs:
dual-approval:
name: Dual Approval (CTO + QA)
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Check dual approval
env:
GH_TOKEN: ${{ github.token }}
CTO_REVIEWER: ${{ inputs.cto-reviewer }}
QA_REVIEWER: ${{ inputs.qa-reviewer }}
PR_NUMBER: ${{ inputs.pr_number }}
REPO: ${{ github.repository }}
run: |
if [ -z "${PR_NUMBER}" ]; then
echo "::error::No pull request number found in event context. This workflow must be called from a pull_request or pull_request_review trigger."
exit 1
fi
echo "Checking approvals on PR #${PR_NUMBER} in ${REPO}"
REVIEWS=$(curl -sf \
-H "Authorization: Bearer ${GH_TOKEN}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \
'[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \
'[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}"
echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}"
if [ "${CTO_APPROVED}" = "true" ] && [ "${QA_APPROVED}" = "true" ]; then
echo "Both CTO and QA have approved. Dual approval check passed."
else
echo "Dual approval check failed."
if [ "${CTO_APPROVED}" != "true" ]; then
echo " Missing: CTO approval from ${CTO_REVIEWER}"
fi
if [ "${QA_APPROVED}" != "true" ]; then
echo " Missing: QA approval from ${QA_REVIEWER}"
fi
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink