diff --git a/.github/workflows/checkAndSubmitAddonMetadata.yml b/.github/workflows/checkAndSubmitAddonMetadata.yml index 3f62df57fa2..3f359c89e67 100644 --- a/.github/workflows/checkAndSubmitAddonMetadata.yml +++ b/.github/workflows/checkAndSubmitAddonMetadata.yml @@ -201,16 +201,17 @@ jobs: vtResultsJSON: ${{ steps.setVirusTotalAnalysisStatus.outputs.vtResults }} vtKeySet: ${{ env.VT_API_KEY != '' }} steps: + # checkout of repo needed for posting comments to issues + - name: Checkout repository + uses: actions/checkout@v6 + with: + ref: ${{ env.branchName }} - name: Check if VT_API_KEY is set id: checkVTKey if: ${{ !env.VT_API_KEY }} run: | echo "VT_API_KEY secret is not set. Skipping VirusTotal analysis." exit 1 - - name: Checkout repository - uses: actions/checkout@v6 - with: - ref: ${{ env.branchName }} - name: Install Node.js uses: actions/setup-node@v6 - name: Install npm dependencies @@ -333,44 +334,53 @@ jobs: if: ${{ always() && (needs.requireSecurityManualApproval.result == 'failure' || needs.requireSubmitterManualApproval.result == 'failure') }} runs-on: ubuntu-latest permissions: + actions: read contents: write issues: write pull-requests: write steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + ref: ${{ env.branchName }} - name: Fetch Rejection Comment - uses: actions/github-script@v9 + env: + GH_TOKEN: ${{ github.token }} id: fetchRejectionComment - with: - script: | - // Fetch the review history for the current workflow run - const response = await github.rest.actions.getApprovedProcessorReviewedHistoriesForWorkflowRun({ - owner: context.repo.owner, - repo: context.repo.repo, - run_id: context.runId - }); + run: | + approvalsJson="$(gh api \ + -H 'Accept: application/vnd.github+json' \ + "/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/approvals" \ + 2>/dev/null || echo '[]')" + + rejectionReasons="$( + printf '%s' "$approvalsJson" | jq -r ' + [ .[]? | select(.state == "rejected") | "- " + (.comment // "No reason provided.") ] + | if length == 0 then "- No reason provided." else join("\n") end + ' + )" - // Filter out the rejection entry/entries. - const rejectionEvents = response.data.filter( - review => review.state === 'rejected' - ); + reviewers="$( + printf '%s' "$approvalsJson" | jq -r ' + [ .[]? | select(.state == "rejected") | .user.login ] + | unique + | if length == 0 then "Unknown reviewer" else join(", ") end + ' + )" - const rejectionReasons = []; - const reviewers = []; - for (const event of rejectionEvents) { - const reason = event.comment || "No reason provided."; - const reviewer = event.user.login; - rejectionReasons.push(`- ${reason}`); - reviewers.push(reviewer); - } - core.setOutput('rejectionReasons', rejectionReasons.join('\n')); - core.setOutput('reviewers', reviewers.join(', ')); + { + echo 'rejectionReasons<> "$GITHUB_OUTPUT" - name: Post manual review failure comment and close PR and issue run: | gh issue comment "${{ inputs.issueNumber }}" --body "${{ env.body }}" - gh pr close "${{ needs.createPullRequest.outputs.pullRequestNumber }}" - gh branch delete ${{ env.branchName }} --remote --force gh issue close "${{ inputs.issueNumber }}" --reason "not planned" + gh pr close "${{ needs.createPullRequest.outputs.pullRequestNumber }}" + git push origin --delete "${{ env.branchName }}" env: GH_TOKEN: ${{ github.token }} body: | @@ -517,6 +527,9 @@ jobs: git config user.email "github-actions@github.com" git fetch origin master git merge origin/master --no-edit + git push --set-upstream origin ${{ env.branchName }} + # wait for a few seconds to ensure the PR is up to date before merging + sleep 3 gh pr merge --admin --squash ${{ env.branchName }} -b '[Automated] Merged ${{ needs.getAddonId.outputs.addonFileName }} into master (PR #${{ needs.createPullRequest.outputs.pullRequestNumber }})' - name: Comment on issue confirming successful submission env: diff --git a/docs/dev/submissionReview.md b/docs/dev/submissionReview.md index 263ed6c0170..cf306f5c758 100644 --- a/docs/dev/submissionReview.md +++ b/docs/dev/submissionReview.md @@ -33,6 +33,8 @@ The process for reviewing pending first submissions is as follows: * Check for any obvious red flags with the repository i.e. it doesn't look structured as an add-on, inappropriate content in the readme, author and code only been around for a few days * Ensure there is not a clash of add-on IDs by checking [submitters.json](../../submitters.json) for similar IDs. 1. Approve or deny the `submitterReview` deploy environment. + * If you are unsure, leave a comment outlining why the add-on is being left open and what's needed to decide how to process it. + Tag another member of NV Access for a second opinion if needed. * When rejecting, the rejection message(s) are provided to the user as the closing reason(s). The issue and PR will be closed. Make sure to clarify any further information on the issue.