-
Notifications
You must be signed in to change notification settings - Fork 288
230 lines (216 loc) · 9.4 KB
/
pr-author-org-check.yml
File metadata and controls
230 lines (216 loc) · 9.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
# SPDX-FileCopyrightText: Copyright (c) 2024-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
name: "CI: Check PR author organization for restricted paths"
on:
# TODO BEFORE MERGING: change to pull_request_target
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
jobs:
check-author-org:
name: PR author may modify restricted paths
if: github.repository_owner == 'NVIDIA'
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: read
steps:
- name: Check PR author organization for restricted paths
env:
# PR metadata inputs
AUTHOR_ASSOCIATION: ${{ github.event.pull_request.author_association || 'NONE' }}
LABELS: ${{ toJson(github.event.pull_request.labels) }}
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_URL: ${{ github.event.pull_request.html_url }}
# API request context/auth
GH_TOKEN: ${{ github.token }}
ORG_NAME: NVIDIA
ORG_REVIEW_LABEL: Check-PR-Author-ORG
REPO: ${{ github.repository }}
run: |
if ! MATCHING_RESTRICTED_PATHS=$(
gh api \
--paginate \
--jq '
.[]
| if (.filename | startswith("cuda_bindings/"))
or (.filename | startswith("cuda_python/"))
then .filename
elif ((.previous_filename // "") | startswith("cuda_bindings/"))
or ((.previous_filename // "") | startswith("cuda_python/"))
then "\(.previous_filename) -> \(.filename)"
else empty
end
' \
"repos/$REPO/pulls/$PR_NUMBER/files"
); then
echo "::error::Failed to inspect the PR file list."
{
echo "## PR Author Organization Check Failed"
echo ""
echo "- **Error**: Failed to inspect the PR file list."
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo ""
echo "Please update the PR at: $PR_URL"
} >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
TOUCHES_RESTRICTED_PATHS=false
if [ -n "$MATCHING_RESTRICTED_PATHS" ]; then
TOUCHES_RESTRICTED_PATHS=true
fi
HAS_ORG_REVIEW_LABEL=false
while IFS= read -r label; do
[ -n "$label" ] || continue
if [ "$label" = "$ORG_REVIEW_LABEL" ]; then
HAS_ORG_REVIEW_LABEL=true
break
fi
done < <(echo "$LABELS" | jq -r '.[].name')
REVIEW_LABEL_ACTION="none"
write_matching_restricted_paths() {
echo "- **Matched restricted paths**:"
echo '```text'
printf '%s\n' "$MATCHING_RESTRICTED_PATHS"
echo '```'
}
write_review_label_action() {
[ "$REVIEW_LABEL_ACTION" != "none" ] || return 0
echo "- **Review label action**: $REVIEW_LABEL_ACTION \`$ORG_REVIEW_LABEL\`"
}
ensure_org_review_label_present() {
if [ "$HAS_ORG_REVIEW_LABEL" = "false" ]; then
if ! gh issue edit "$PR_NUMBER" --repo "$REPO" --add-label "$ORG_REVIEW_LABEL" >/dev/null; then
echo "::error::Failed to add label $ORG_REVIEW_LABEL."
exit 1
fi
HAS_ORG_REVIEW_LABEL=true
REVIEW_LABEL_ACTION="added"
fi
}
ensure_org_review_label_absent() {
if [ "$HAS_ORG_REVIEW_LABEL" = "true" ]; then
if ! gh issue edit "$PR_NUMBER" --repo "$REPO" --remove-label "$ORG_REVIEW_LABEL" >/dev/null; then
echo "::error::Failed to remove label $ORG_REVIEW_LABEL."
exit 1
fi
HAS_ORG_REVIEW_LABEL=false
REVIEW_LABEL_ACTION="removed"
fi
}
if [ "$TOUCHES_RESTRICTED_PATHS" = "false" ]; then
ensure_org_review_label_absent
{
echo "## PR Author Organization Check Passed"
echo ""
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo "- **Touches restricted paths**: false"
echo "- **Restricted paths**: \`cuda_bindings/\`, \`cuda_python/\`"
write_review_label_action
} >> "$GITHUB_STEP_SUMMARY"
exit 0
fi
# Use curl here because the 204/404/302 HTTP status is the signal we
# need. gh api treats 404 as a command failure, but 404 is an expected
# "not a member" outcome for this check.
if ! MEMBERSHIP_STATUS=$(
curl --silent --show-error --output /dev/null --write-out '%{http_code}' \
-H "Authorization: Bearer $GH_TOKEN" \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"https://api.github.com/orgs/$ORG_NAME/members/$PR_AUTHOR"
); then
echo "::error::Failed to query organization membership."
{
echo "## PR Author Organization Check Failed"
echo ""
echo "- **Error**: Failed to query organization membership."
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo "- **Organization membership query**: failed"
echo "- **Restricted paths**: \`cuda_bindings/\`, \`cuda_python/\`"
echo ""
write_matching_restricted_paths
echo ""
echo "Please update the PR at: $PR_URL"
} >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
case "$MEMBERSHIP_STATUS" in
204)
ensure_org_review_label_absent
{
echo "## PR Author Organization Check Passed"
echo ""
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo "- **Organization membership query**: \`204\` (member)"
echo "- **Restricted paths**: \`cuda_bindings/\`, \`cuda_python/\`"
echo ""
write_matching_restricted_paths
write_review_label_action
} >> "$GITHUB_STEP_SUMMARY"
;;
302)
ensure_org_review_label_present
echo "::warning::Could not determine conclusively whether $PR_AUTHOR is a member of $ORG_NAME. Added label $ORG_REVIEW_LABEL for manual review."
{
echo "## PR Author Organization Check Inconclusive"
echo ""
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo "- **Organization membership query**: \`302\` (inconclusive)"
echo "- **Restricted paths**: \`cuda_bindings/\`, \`cuda_python/\`"
echo ""
write_matching_restricted_paths
write_review_label_action
echo ""
echo "- **Next step**: Review whether the PR author should be allowed to modify these restricted paths."
echo ""
echo "Please update the PR at: $PR_URL"
} >> "$GITHUB_STEP_SUMMARY"
;;
404)
ensure_org_review_label_absent
echo "::error::This PR failed the author organization check. See the job summary for details."
{
echo "## PR Author Organization Check Failed"
echo ""
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo "- **Organization membership query**: \`404\` (not a member)"
echo "- **Restricted paths**: \`cuda_bindings/\`, \`cuda_python/\`"
echo ""
write_matching_restricted_paths
write_review_label_action
echo ""
echo "- **Policy**: See \`cuda_bindings/LICENSE\` and \`cuda_python/LICENSE\`. Only NVIDIA organization members may modify files under \`cuda_bindings/\` or \`cuda_python/\`."
echo ""
echo "Please update the PR at: $PR_URL"
} >> "$GITHUB_STEP_SUMMARY"
exit 1
;;
*)
echo "::error::Unexpected response from organization membership query: HTTP $MEMBERSHIP_STATUS."
{
echo "## PR Author Organization Check Failed"
echo ""
echo "- **Error**: Unexpected response from organization membership query."
echo "- **Author**: $PR_AUTHOR"
echo "- **Author association**: $AUTHOR_ASSOCIATION"
echo "- **Organization membership query**: \`$MEMBERSHIP_STATUS\`"
echo "- **Restricted paths**: \`cuda_bindings/\`, \`cuda_python/\`"
echo ""
write_matching_restricted_paths
echo ""
echo "Please update the PR at: $PR_URL"
} >> "$GITHUB_STEP_SUMMARY"
exit 1
;;
esac