Chris Farhood
f02d888d82
The workflow was failing on pull_request_review events when triggered by
non-PR actors (e.g. greptile-apps[bot] commenting). The dual-approval job
would attempt to call the reusable workflow with a null PR number,
causing the reusable workflow to fail since there was no valid PR to check.
Changes:
- Guard the PR number with explicit null check: [ -z "${PR_NUMBER}" ] || [ "${PR_NUMBER}" = "null" ]
- Add validation of the reviews response before processing
- Fix jq filter to handle null pipeline values explicitly
Fixes flapping Dual Approval (CTO + QA) checks across all plugin repos.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
73 lines
2.7 KiB
YAML
73 lines
2.7 KiB
YAML
name: Dual Approval Check
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
pr_number:
|
|
description: "Pull request number"
|
|
required: false
|
|
type: number
|
|
cto-reviewer:
|
|
description: "GitHub username of the CTO reviewer"
|
|
required: false
|
|
type: string
|
|
default: "privilegedescalation-cto"
|
|
qa-reviewer:
|
|
description: "GitHub username of the QA reviewer"
|
|
required: false
|
|
type: string
|
|
default: "privilegedescalation-qa"
|
|
|
|
jobs:
|
|
dual-approval:
|
|
name: Dual Approval (CTO + QA)
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 5
|
|
|
|
steps:
|
|
- name: Check dual approval
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
CTO_REVIEWER: ${{ inputs.cto-reviewer }}
|
|
QA_REVIEWER: ${{ inputs.qa-reviewer }}
|
|
PR_NUMBER: ${{ inputs.pr_number }}
|
|
REPO: ${{ github.repository }}
|
|
run: |
|
|
if [ -z "${PR_NUMBER}" ] || [ "${PR_NUMBER}" = "null" ]; then
|
|
echo "::notice::No PR number in context (dismissed review or workflow_call without pr_number). Skipping dual approval check — no action needed."
|
|
exit 0
|
|
fi
|
|
|
|
echo "Checking approvals on PR #${PR_NUMBER} in ${REPO}"
|
|
|
|
REVIEWS=$(curl -sf \
|
|
-H "Authorization: Bearer ${GH_TOKEN}" \
|
|
-H "Accept: application/vnd.github.v3+json" \
|
|
"https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
|
|
|
|
if [ -z "${REVIEWS}" ] || [ "${REVIEWS}" = "null" ]; then
|
|
echo "::warning::Could not fetch reviews for PR #${PR_NUMBER}. Assuming no approvals yet."
|
|
exit 1
|
|
fi
|
|
|
|
CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \
|
|
'[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | if .state then .state == "APPROVED" else false end')
|
|
|
|
QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \
|
|
'[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | if .state then .state == "APPROVED" else false end')
|
|
|
|
echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}"
|
|
echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}"
|
|
|
|
if [ "${CTO_APPROVED}" = "true" ] && [ "${QA_APPROVED}" = "true" ]; then
|
|
echo "Both CTO and QA have approved. Dual approval check passed."
|
|
else
|
|
echo "Dual approval check failed."
|
|
if [ "${CTO_APPROVED}" != "true" ]; then
|
|
echo " Missing: CTO approval from ${CTO_REVIEWER}"
|
|
fi
|
|
if [ "${QA_APPROVED}" != "true" ]; then
|
|
echo " Missing: QA approval from ${QA_REVIEWER}"
|
|
fi
|
|
exit 1
|
|
fi |