|
1 | | -name: Review Checks |
2 | | - |
3 | | -# SECURITY: This workflow uses pull_request_target so that it has write access to |
4 | | -# set commit statuses on external (fork) PRs. pull_request_target runs in the |
5 | | -# context of the base branch, which grants the GITHUB_TOKEN write permissions |
6 | | -# that a regular pull_request event on a fork would not have. |
7 | | -# |
8 | | -# IMPORTANT: This workflow must NEVER check out, build, or execute code from the |
9 | | -# PR branch. Doing so would allow a malicious fork to run arbitrary code with |
10 | | -# write access to the repository. This workflow only reads PR metadata via the |
11 | | -# GitHub API, which is safe. |
| 1 | +name: Review Checks Evaluator |
12 | 2 |
|
13 | 3 | on: |
14 | | - pull_request_target: |
| 4 | + pull_request: |
15 | 5 | types: [opened, synchronize, reopened] |
16 | 6 | pull_request_review: |
17 | 7 | types: [submitted, dismissed] |
18 | 8 | merge_group: |
19 | 9 |
|
20 | | -permissions: |
21 | | - contents: read |
22 | | - pull-requests: read |
23 | | - statuses: write |
| 10 | +permissions: read-all |
24 | 11 |
|
25 | 12 | concurrency: |
26 | 13 | group: pr-approval-check-${{ github.event.pull_request.number || github.sha }} |
27 | 14 | cancel-in-progress: true |
28 | 15 |
|
29 | 16 | jobs: |
30 | | - publish-approval-status: |
31 | | - name: Set approval status |
| 17 | + evaluate-approval-status: |
| 18 | + name: Evaluate approval status |
32 | 19 | runs-on: ubuntu-latest |
33 | 20 |
|
34 | | - # SECURITY: Do not add a checkout step to this job. See comment at the top of this file. |
35 | 21 | steps: |
36 | | - - name: Evaluate and publish approval status |
| 22 | + - name: Evaluate approval status |
37 | 23 | uses: actions/github-script@v7 |
38 | 24 | with: |
39 | 25 | github-token: ${{ secrets.GITHUB_TOKEN }} |
40 | 26 | script: | |
41 | | - const contextName = "PR approval check"; |
| 27 | + if (context.eventName === "merge_group") { |
| 28 | + core.info("Merge group entry; approvals already satisfied."); |
| 29 | + return; |
| 30 | + } |
42 | 31 |
|
43 | | - let targetSha; |
44 | | - let state; |
45 | | - let description; |
| 32 | + const pr = context.payload.pull_request; |
46 | 33 |
|
47 | | - if (context.eventName === "merge_group") { |
48 | | - targetSha = process.env.GITHUB_SHA; |
49 | | - state = "success"; |
50 | | - description = "Merge group entry; approvals already satisfied"; |
51 | | - } else { |
52 | | - const pr = context.payload.pull_request; |
53 | | - targetSha = pr.head.sha; |
| 34 | + if (pr.head.repo.fork) { |
| 35 | + core.info("External PR; evaluator intentionally does not publish statuses."); |
| 36 | + return; |
| 37 | + } |
| 38 | +
|
| 39 | + if (pr.user.login !== "clockwork-labs-bot") { |
| 40 | + core.info("PR author is not clockwork-labs-bot; no extra approval requirement."); |
| 41 | + return; |
| 42 | + } |
54 | 43 |
|
55 | | - if (pr.head.repo.fork) { |
56 | | - state = "success"; |
57 | | - description = "Skipped for external PR"; |
58 | | - } else if (pr.user.login !== "clockwork-labs-bot") { |
59 | | - state = "success"; |
60 | | - description = "PR author is not clockwork-labs-bot"; |
61 | | - } else { |
62 | | - const result = await github.graphql( |
63 | | - ` |
64 | | - query($owner: String!, $repo: String!, $number: Int!) { |
65 | | - repository(owner: $owner, name: $repo) { |
66 | | - pullRequest(number: $number) { |
67 | | - latestOpinionatedReviews(first: 100, writersOnly: true) { |
68 | | - nodes { |
69 | | - state |
70 | | - author { |
71 | | - login |
72 | | - } |
73 | | - } |
| 44 | + const result = await github.graphql( |
| 45 | + ` |
| 46 | + query($owner: String!, $repo: String!, $number: Int!) { |
| 47 | + repository(owner: $owner, name: $repo) { |
| 48 | + pullRequest(number: $number) { |
| 49 | + latestOpinionatedReviews(first: 100, writersOnly: true) { |
| 50 | + nodes { |
| 51 | + state |
| 52 | + author { |
| 53 | + login |
74 | 54 | } |
75 | 55 | } |
76 | 56 | } |
77 | 57 | } |
78 | | - `, |
79 | | - { |
80 | | - owner: context.repo.owner, |
81 | | - repo: context.repo.repo, |
82 | | - number: pr.number, |
83 | | - } |
84 | | - ); |
| 58 | + } |
| 59 | + } |
| 60 | + `, |
| 61 | + { |
| 62 | + owner: context.repo.owner, |
| 63 | + repo: context.repo.repo, |
| 64 | + number: pr.number, |
| 65 | + } |
| 66 | + ); |
85 | 67 |
|
86 | | - const effectiveApprovers = |
87 | | - result.repository.pullRequest.latestOpinionatedReviews.nodes |
88 | | - .filter((review) => review.state === "APPROVED") |
89 | | - .map((review) => review.author?.login) |
90 | | - .filter(Boolean); |
| 68 | + const effectiveApprovers = |
| 69 | + result.repository.pullRequest.latestOpinionatedReviews.nodes |
| 70 | + .filter((review) => review.state === "APPROVED") |
| 71 | + .map((review) => review.author?.login) |
| 72 | + .filter(Boolean); |
91 | 73 |
|
92 | | - core.info( |
93 | | - `Latest effective approvers (${effectiveApprovers.length}): ${effectiveApprovers.join(", ")}` |
94 | | - ); |
| 74 | + core.info( |
| 75 | + `Latest effective approvers (${effectiveApprovers.length}): ${effectiveApprovers.join(", ")}` |
| 76 | + ); |
95 | 77 |
|
96 | | - if (effectiveApprovers.length < 2) { |
97 | | - state = "failure"; |
98 | | - description = "PRs from clockwork-labs-bot require at least 2 approvals"; |
99 | | - } else { |
100 | | - state = "success"; |
101 | | - description = "PR has the required number of approvals"; |
102 | | - } |
103 | | - } |
| 78 | + if (effectiveApprovers.length < 2) { |
| 79 | + core.setFailed("PRs from clockwork-labs-bot require at least 2 approvals."); |
| 80 | + return; |
104 | 81 | } |
105 | 82 |
|
106 | | - core.info(`Publishing status ${state} for ${targetSha}: ${description}`); |
107 | | -
|
108 | | - // We need to set a separate commit status for this, because it runs on both |
109 | | - // pull_request and pull_request_review events. If we don't set an explicit context, |
110 | | - // what happens is that there are sometimes two separate statuses on the same commit - |
111 | | - // one from each event type. This leads to weird cases where one copy of the check is failed, |
112 | | - // and the other is successful, and the failed one blocks the PR from merging. |
113 | | - await github.rest.repos.createCommitStatus({ |
114 | | - owner: context.repo.owner, |
115 | | - repo: context.repo.repo, |
116 | | - sha: targetSha, |
117 | | - state, |
118 | | - context: contextName, |
119 | | - description, |
120 | | - }); |
| 83 | + core.info("PR has the required number of approvals."); |
0 commit comments