privilegedescalation/org
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
db565fc0a8577e9f91fdc674a73d5e374ed0a82a
org/.github/workflows/dual-approval-check.yaml
T
privilegedescalation-engineer[bot] 06e6784174 fix: skip dual approval check gracefully on dismissed reviews (#122) 
* feat(release): add token permission pre-check

Detect missing write permissions early in the release pipeline rather
than failing late during git push with a cryptic 403 error (see PRI-348).

The new check-token-permissions job generates a GitHub App token and
attempts to create a test ref via the API. On 201 the token has write
permission (cleaned up immediately); on 403 the release job is skipped
with a clear error message. This saves CI time and provides actionable
diagnostics.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix: skip dual approval check gracefully on dismissed reviews

When a pull_request_review event is dismissed, the PR context is null and
PR_NUMBER is empty. Instead of exiting with an error, exit 0 (skip) since
dismissed reviews are not approvals and do not affect the approval state.

Fixes PRI-314.

---------

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-05-04 05:00:15 +00:00

86 lines
2.9 KiB
YAML
Raw Blame History

name: Dual Approval Check
# Reusable workflow: verifies that both the CTO and QA bot accounts
# have approved a pull request. Plugin repos call this on
# pull_request_review events to get a required GitHub status check.
#
# Usage in a plugin repo's workflow:
#
# on:
# pull_request_review:
# types: [submitted, dismissed]
# pull_request:
# types: [opened, reopened, synchronize]
#
# jobs:
# dual-approval:
# uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
# secrets: inherit
on:
workflow_call:
inputs:
pr_number:
description: "Pull request number"
required: false
type: number
cto-reviewer:
description: "GitHub username of the CTO reviewer"
required: false
type: string
default: "privilegedescalation-cto"
qa-reviewer:
description: "GitHub username of the QA reviewer"
required: false
type: string
default: "privilegedescalation-qa"
jobs:
dual-approval:
name: Dual Approval (CTO + QA)
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Check dual approval
env:
GH_TOKEN: ${{ github.token }}
CTO_REVIEWER: ${{ inputs.cto-reviewer }}
QA_REVIEWER: ${{ inputs.qa-reviewer }}
PR_NUMBER: ${{ inputs.pr_number }}
REPO: ${{ github.repository }}
run: |
if [ -z "${PR_NUMBER}" ]; then
echo "::notice::No PR number in context (dismissed review?). Skipping dual approval check — no action needed."
exit 0
fi
echo "Checking approvals on PR #${PR_NUMBER} in ${REPO}"
REVIEWS=$(curl -sf \
-H "Authorization: Bearer ${GH_TOKEN}" \
-H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/${REPO}/pulls/${PR_NUMBER}/reviews")
CTO_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${CTO_REVIEWER}" \
'[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
QA_APPROVED=$(echo "${REVIEWS}" | jq -r --arg user "${QA_REVIEWER}" \
'[.[] | select(.user.login == $user or .user.login == ($user + "[bot]"))] | last | .state == "APPROVED"')
echo "CTO (${CTO_REVIEWER}) approved: ${CTO_APPROVED}"
echo "QA (${QA_REVIEWER}) approved: ${QA_APPROVED}"
if [ "${CTO_APPROVED}" = "true" ] && [ "${QA_APPROVED}" = "true" ]; then
echo "Both CTO and QA have approved. Dual approval check passed."
else
echo "Dual approval check failed."
if [ "${CTO_APPROVED}" != "true" ]; then
echo " Missing: CTO approval from ${CTO_REVIEWER}"
fi
if [ "${QA_APPROVED}" != "true" ]; then
echo " Missing: QA approval from ${QA_REVIEWER}"
fi
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink