privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b11bc453dd6a323b084cd36ff85cc0e47a635f7a
org/.github/workflows/dual-approval-check.yaml
T
hugh-hackman[bot] 5a167e94ae fix(ci): use ubuntu-latest for dual-approval-check workflow 
The dual-approval-check workflow only makes GitHub API calls — it does
not need cluster access or any self-hosted tooling. Using the
self-hosted runner (runners-privilegedescalation) was triggering
GitHub's self-hosted runner approval requirement for workflows run by
actors with authorAssociation NONE (e.g. privilegedescalation-qa/cto
bots), causing action_required conclusions with 0 jobs executed.

Switching to ubuntu-latest eliminates the approval gate and frees
self-hosted runner capacity for actual CI builds.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-24 21:54:04 +00:00

82 lines
2.8 KiB
YAML
Raw Blame History

name: Dual Approval Check
# Reusable workflow: verifies that both the CTO and QA bot accounts
# have approved a pull request. Plugin repos call this on
# pull_request_review events to get a required GitHub status check.
#
# Usage in a plugin repo's workflow:
#
# on:
# pull_request_review:
# types: [submitted, dismissed]
# pull_request:
# types: [opened, reopened, synchronize]
#
# jobs:
# dual-approval:
# uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
# secrets: inherit
on:
workflow_call:
inputs:
cto-reviewer:
description: "GitHub username of the CTO reviewer"
required: false
type: string
default: "privilegedescalation-cto"
qa-reviewer:
description: "GitHub username of the QA reviewer"
required: false
type: string
default: "privilegedescalation-qa"
jobs:
dual-approval:
name: Dual Approval (CTO + QA)
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Check dual approval
env:
GH_TOKEN: ${{ github.token }}
CTO_REVIEWER: ${{ inputs.cto-reviewer }}
QA_REVIEWER: ${{ inputs.qa-reviewer }}
PR_NUMBER: ${{ github.event.pull_request.number }}
REPO: ${{ github.repository }}
run: |
if [ -z "${PR_NUMBER}" ]; then
echo "::error::No pull request number found in event context. This workflow must be called from a pull_request or pull_request_review trigger."
exit 1
fi
echo "Checking approvals on PR #${PR_NUMBER} in ${REPO}"
REVIEWS=$(curl -sf \
-H "Authorization: Bearer ${GH_TOKEN}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \
'[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \
'[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}"
echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}"
if [ "${CTO_APPROVED}" = "true" ] && [ "${QA_APPROVED}" = "true" ]; then
echo "Both CTO and QA have approved. Dual approval check passed."
else
echo "Dual approval check failed."
if [ "${CTO_APPROVED}" != "true" ]; then
echo " Missing: CTO approval from ${CTO_REVIEWER}"
fi
if [ "${QA_APPROVED}" != "true" ]; then
echo " Missing: QA approval from ${QA_REVIEWER}"
fi
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink