[bfops/pr-approval-check-again]: fix?

bfops · bfops · commit df5f4bbfbf5e · 2026-03-20T08:58:06.000-07:00
diff --git a/.github/workflows/pr_approval_report.yml b/.github/workflows/pr_approval_report.yml
@@ -5,7 +5,9 @@ name: Review Checks Reporter
 # SECURITY: This workflow runs with base-repository privileges after the
 # evaluator completes. It must not check out or execute PR code, and it must not
 # consume artifacts from the untrusted workflow. It only reads trusted workflow
-# metadata and publishes a narrow commit-status update.
+# metadata and returns a normal workflow result.
+
+name: PR approval check
 
 on:
   workflow_run:
@@ -16,51 +18,31 @@ on:
 
 permissions:
   contents: read
-  statuses: write
 
 jobs:
   publish-approval-status:
-    name: Publish approval status
+    name: PR approval check
     runs-on: ubuntu-latest
+    if: github.event.workflow_run.event != 'merge_group'
 
     # SECURITY: Do not add a checkout step to this job. See comment at the top of this file.
     steps:
-      - name: PR approval check
+      - name: Evaluate approval status
         uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
-            if (context.payload.workflow_run.event === "merge_group") {
-              core.info("Merge group runs publish approval status directly from the evaluator.");
-              return;
-            }
-
-            const conclusion = context.payload.workflow_run.conclusion;
-
-            let state;
-            let description;
+            const workflowRun = context.payload.workflow_run;
+            const conclusion = workflowRun.conclusion;
 
             if (conclusion === "success") {
-              state = "success";
-              description = "Approval requirements satisfied";
-            } else if (conclusion === "cancelled" || conclusion === "timed_out") {
-              state = "error";
-              description = `Approval evaluation ${conclusion}`;
-            } else {
-              state = "failure";
-              description = "Approval requirements not satisfied";
+              core.info("Approval requirements satisfied.");
+              return;
             }
 
-            core.info(
-              `Publishing ${state} for ${context.payload.workflow_run.head_sha} from evaluator conclusion ${conclusion}`
-            );
+            if (conclusion === "cancelled" || conclusion === "timed_out") {
+              core.setFailed(`Approval evaluation ${conclusion}`);
+              return;
+            }
 
-            await github.rest.repos.createCommitStatus({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              sha: context.payload.workflow_run.head_sha,
-              state,
-              context: contextName,
-              description,
-              target_url: context.payload.workflow_run.html_url,
-            });
+            core.setFailed("Approval requirements not satisfied.");
