From 0bb3094f544579188145eb2706b28105a274d399 Mon Sep 17 00:00:00 2001 From: Sean Budd Date: Thu, 9 Jul 2026 17:05:03 +1000 Subject: [PATCH 1/9] Fix rejection handling --- .../workflows/checkAndSubmitAddonMetadata.yml | 51 ++++++++++--------- 1 file changed, 28 insertions(+), 23 deletions(-) diff --git a/.github/workflows/checkAndSubmitAddonMetadata.yml b/.github/workflows/checkAndSubmitAddonMetadata.yml index 3f62df57fa2..fd51dbf7c9f 100644 --- a/.github/workflows/checkAndSubmitAddonMetadata.yml +++ b/.github/workflows/checkAndSubmitAddonMetadata.yml @@ -333,37 +333,42 @@ jobs: if: ${{ always() && (needs.requireSecurityManualApproval.result == 'failure' || needs.requireSubmitterManualApproval.result == 'failure') }} runs-on: ubuntu-latest permissions: + actions: read contents: write issues: write pull-requests: write steps: - name: Fetch Rejection Comment - uses: actions/github-script@v9 + env: + GH_TOKEN: ${{ github.token }} id: fetchRejectionComment - with: - script: | - // Fetch the review history for the current workflow run - const response = await github.rest.actions.getApprovedProcessorReviewedHistoriesForWorkflowRun({ - owner: context.repo.owner, - repo: context.repo.repo, - run_id: context.runId - }); + run: | + approvalsJson="$(gh api \ + -H 'Accept: application/vnd.github+json' \ + "/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/approvals" \ + 2>/dev/null || true)" + + rejectionReasons="$( + printf '%s' "$approvalsJson" | jq -r ' + [ .[]? | select(.state == "rejected") | "- " + (.comment // "No reason provided.") ] + | if length == 0 then "- No reason provided." else join("\n") end + ' + )" - // Filter out the rejection entry/entries. - const rejectionEvents = response.data.filter( - review => review.state === 'rejected' - ); + reviewers="$( + printf '%s' "$approvalsJson" | jq -r ' + [ .[]? | select(.state == "rejected") | .user.login ] + | unique + | if length == 0 then "Unknown reviewer" else join(", ") end + ' + )" - const rejectionReasons = []; - const reviewers = []; - for (const event of rejectionEvents) { - const reason = event.comment || "No reason provided."; - const reviewer = event.user.login; - rejectionReasons.push(`- ${reason}`); - reviewers.push(reviewer); - } - core.setOutput('rejectionReasons', rejectionReasons.join('\n')); - core.setOutput('reviewers', reviewers.join(', ')); + { + echo 'rejectionReasons<> "$GITHUB_OUTPUT" - name: Post manual review failure comment and close PR and issue run: | From 48b934d3ced1cad56a57e23aba86acb28310efb5 Mon Sep 17 00:00:00 2001 From: Sean Budd Date: Thu, 9 Jul 2026 17:06:08 +1000 Subject: [PATCH 2/9] temp revert trust submitter --- submitters.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/submitters.json b/submitters.json index c7e2b81b059..0a7a6794d87 100644 --- a/submitters.json +++ b/submitters.json @@ -1,7 +1,6 @@ { "7090342": { - "githubName": "seanbudd", - "trustedSubmitter": true + "githubName": "seanbudd" }, "16543535": { "githubName": "SaschaCowley", From 7c3aaef5ece1163a8bbf28254729c26687d26d82 Mon Sep 17 00:00:00 2001 From: Sean Budd Date: Thu, 9 Jul 2026 17:11:52 +1000 Subject: [PATCH 3/9] fix checkout --- .github/workflows/checkAndSubmitAddonMetadata.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/checkAndSubmitAddonMetadata.yml b/.github/workflows/checkAndSubmitAddonMetadata.yml index fd51dbf7c9f..61199a3f33a 100644 --- a/.github/workflows/checkAndSubmitAddonMetadata.yml +++ b/.github/workflows/checkAndSubmitAddonMetadata.yml @@ -201,16 +201,17 @@ jobs: vtResultsJSON: ${{ steps.setVirusTotalAnalysisStatus.outputs.vtResults }} vtKeySet: ${{ env.VT_API_KEY != '' }} steps: + # checkout of repo needed for posting comments to issues + - name: Checkout repository + uses: actions/checkout@v6 + with: + ref: ${{ env.branchName }} - name: Check if VT_API_KEY is set id: checkVTKey if: ${{ !env.VT_API_KEY }} run: | echo "VT_API_KEY secret is not set. Skipping VirusTotal analysis." exit 1 - - name: Checkout repository - uses: actions/checkout@v6 - with: - ref: ${{ env.branchName }} - name: Install Node.js uses: actions/setup-node@v6 - name: Install npm dependencies @@ -522,6 +523,9 @@ jobs: git config user.email "github-actions@github.com" git fetch origin master git merge origin/master --no-edit + git push --set-upstream origin ${{ env.branchName }} + # wait for a few seconds to ensure the PR is up to date before merging + sleep 3 gh pr merge --admin --squash ${{ env.branchName }} -b '[Automated] Merged ${{ needs.getAddonId.outputs.addonFileName }} into master (PR #${{ needs.createPullRequest.outputs.pullRequestNumber }})' - name: Comment on issue confirming successful submission env: From b1d95bcb9c976a8faa0d4f509d999c5a2ffa5f23 Mon Sep 17 00:00:00 2001 From: Sean Budd Date: Thu, 9 Jul 2026 17:18:05 +1000 Subject: [PATCH 4/9] add checkout --- .github/workflows/checkAndSubmitAddonMetadata.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/checkAndSubmitAddonMetadata.yml b/.github/workflows/checkAndSubmitAddonMetadata.yml index 61199a3f33a..925de42d2a3 100644 --- a/.github/workflows/checkAndSubmitAddonMetadata.yml +++ b/.github/workflows/checkAndSubmitAddonMetadata.yml @@ -339,6 +339,10 @@ jobs: issues: write pull-requests: write steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + ref: ${{ env.branchName }} - name: Fetch Rejection Comment env: GH_TOKEN: ${{ github.token }} From 74bc563e3afac35fb67373be9cd99a56c613f62c Mon Sep 17 00:00:00 2001 From: Sean Budd Date: Thu, 9 Jul 2026 18:32:00 +1000 Subject: [PATCH 5/9] improve docs --- docs/dev/submissionReview.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/dev/submissionReview.md b/docs/dev/submissionReview.md index 263ed6c0170..cf306f5c758 100644 --- a/docs/dev/submissionReview.md +++ b/docs/dev/submissionReview.md @@ -33,6 +33,8 @@ The process for reviewing pending first submissions is as follows: * Check for any obvious red flags with the repository i.e. it doesn't look structured as an add-on, inappropriate content in the readme, author and code only been around for a few days * Ensure there is not a clash of add-on IDs by checking [submitters.json](../../submitters.json) for similar IDs. 1. Approve or deny the `submitterReview` deploy environment. + * If you are unsure, leave a comment outlining why the add-on is being left open and what's needed to decide how to process it. + Tag another member of NV Access for a second opinion if needed. * When rejecting, the rejection message(s) are provided to the user as the closing reason(s). The issue and PR will be closed. Make sure to clarify any further information on the issue. From 27a0a0936533d3967ea68c43f3391da87bf676ad Mon Sep 17 00:00:00 2001 From: Sean Budd Date: Thu, 9 Jul 2026 18:40:39 +1000 Subject: [PATCH 6/9] fix slop --- .github/workflows/checkAndSubmitAddonMetadata.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/checkAndSubmitAddonMetadata.yml b/.github/workflows/checkAndSubmitAddonMetadata.yml index 925de42d2a3..88206ab2cdb 100644 --- a/.github/workflows/checkAndSubmitAddonMetadata.yml +++ b/.github/workflows/checkAndSubmitAddonMetadata.yml @@ -378,8 +378,7 @@ jobs: - name: Post manual review failure comment and close PR and issue run: | gh issue comment "${{ inputs.issueNumber }}" --body "${{ env.body }}" - gh pr close "${{ needs.createPullRequest.outputs.pullRequestNumber }}" - gh branch delete ${{ env.branchName }} --remote --force + gh pr close "${{ needs.createPullRequest.outputs.pullRequestNumber }}" --delete-branch gh issue close "${{ inputs.issueNumber }}" --reason "not planned" env: GH_TOKEN: ${{ github.token }} From 7abbb8e4383216617e4774c1108a6ec067c4b7b1 Mon Sep 17 00:00:00 2001 From: Sean Budd Date: Fri, 10 Jul 2026 09:18:08 +1000 Subject: [PATCH 7/9] close issue first --- .github/workflows/checkAndSubmitAddonMetadata.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/checkAndSubmitAddonMetadata.yml b/.github/workflows/checkAndSubmitAddonMetadata.yml index 88206ab2cdb..08cf421c622 100644 --- a/.github/workflows/checkAndSubmitAddonMetadata.yml +++ b/.github/workflows/checkAndSubmitAddonMetadata.yml @@ -351,7 +351,7 @@ jobs: approvalsJson="$(gh api \ -H 'Accept: application/vnd.github+json' \ "/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/approvals" \ - 2>/dev/null || true)" + 2>/dev/null || echo '[]')" rejectionReasons="$( printf '%s' "$approvalsJson" | jq -r ' @@ -378,8 +378,8 @@ jobs: - name: Post manual review failure comment and close PR and issue run: | gh issue comment "${{ inputs.issueNumber }}" --body "${{ env.body }}" - gh pr close "${{ needs.createPullRequest.outputs.pullRequestNumber }}" --delete-branch gh issue close "${{ inputs.issueNumber }}" --reason "not planned" + gh pr close "${{ needs.createPullRequest.outputs.pullRequestNumber }}" --delete-branch env: GH_TOKEN: ${{ github.token }} body: | From a1e5837584fecfe2c28214f19942d8788642bd46 Mon Sep 17 00:00:00 2001 From: Sean Budd Date: Fri, 10 Jul 2026 09:34:31 +1000 Subject: [PATCH 8/9] fix delete --- .github/workflows/checkAndSubmitAddonMetadata.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/checkAndSubmitAddonMetadata.yml b/.github/workflows/checkAndSubmitAddonMetadata.yml index 08cf421c622..3f359c89e67 100644 --- a/.github/workflows/checkAndSubmitAddonMetadata.yml +++ b/.github/workflows/checkAndSubmitAddonMetadata.yml @@ -379,7 +379,8 @@ jobs: run: | gh issue comment "${{ inputs.issueNumber }}" --body "${{ env.body }}" gh issue close "${{ inputs.issueNumber }}" --reason "not planned" - gh pr close "${{ needs.createPullRequest.outputs.pullRequestNumber }}" --delete-branch + gh pr close "${{ needs.createPullRequest.outputs.pullRequestNumber }}" + git push origin --delete "${{ env.branchName }}" env: GH_TOKEN: ${{ github.token }} body: | From 7c1d157f6935af7700a245dfcbd60a967779d629 Mon Sep 17 00:00:00 2001 From: Sean Budd Date: Fri, 10 Jul 2026 09:38:23 +1000 Subject: [PATCH 9/9] Apply suggestion from @seanbudd Signed-off-by: Sean Budd --- submitters.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/submitters.json b/submitters.json index 0a7a6794d87..c7e2b81b059 100644 --- a/submitters.json +++ b/submitters.json @@ -1,6 +1,7 @@ { "7090342": { - "githubName": "seanbudd" + "githubName": "seanbudd", + "trustedSubmitter": true }, "16543535": { "githubName": "SaschaCowley",