Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 42 additions & 29 deletions .github/workflows/checkAndSubmitAddonMetadata.yml
Original file line number Diff line number Diff line change
Expand Up @@ -201,16 +201,17 @@ jobs:
vtResultsJSON: ${{ steps.setVirusTotalAnalysisStatus.outputs.vtResults }}
vtKeySet: ${{ env.VT_API_KEY != '' }}
steps:
# checkout of repo needed for posting comments to issues
- name: Checkout repository
uses: actions/checkout@v6
with:
ref: ${{ env.branchName }}
Comment on lines +204 to +208

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it be more efficient to leave the checkout until after this check, and in "Warn if VT not set up correctly" do

gh -R "${{ github.repository }}" issue comment "${{ inputs.issueNumber }}" --body-file vt-not-set-up-correctly.md

- name: Check if VT_API_KEY is set
id: checkVTKey
if: ${{ !env.VT_API_KEY }}
run: |
echo "VT_API_KEY secret is not set. Skipping VirusTotal analysis."
exit 1
- name: Checkout repository
uses: actions/checkout@v6
with:
ref: ${{ env.branchName }}
- name: Install Node.js
uses: actions/setup-node@v6
- name: Install npm dependencies
Expand Down Expand Up @@ -333,44 +334,53 @@ jobs:
if: ${{ always() && (needs.requireSecurityManualApproval.result == 'failure' || needs.requireSubmitterManualApproval.result == 'failure') }}
runs-on: ubuntu-latest
permissions:
actions: read
contents: write
issues: write
pull-requests: write
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
ref: ${{ env.branchName }}
- name: Fetch Rejection Comment
uses: actions/github-script@v9
env:
GH_TOKEN: ${{ github.token }}
id: fetchRejectionComment
with:
script: |
// Fetch the review history for the current workflow run
const response = await github.rest.actions.getApprovedProcessorReviewedHistoriesForWorkflowRun({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: context.runId
});
run: |
approvalsJson="$(gh api \
-H 'Accept: application/vnd.github+json' \
"/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/approvals" \
2>/dev/null || echo '[]')"

rejectionReasons="$(
printf '%s' "$approvalsJson" | jq -r '
[ .[]? | select(.state == "rejected") | "- " + (.comment // "No reason provided.") ]
| if length == 0 then "- No reason provided." else join("\n") end
'
)"

// Filter out the rejection entry/entries.
const rejectionEvents = response.data.filter(
review => review.state === 'rejected'
);
reviewers="$(
printf '%s' "$approvalsJson" | jq -r '
[ .[]? | select(.state == "rejected") | .user.login ]
| unique
| if length == 0 then "Unknown reviewer" else join(", ") end
'
)"

const rejectionReasons = [];
const reviewers = [];
for (const event of rejectionEvents) {
const reason = event.comment || "No reason provided.";
const reviewer = event.user.login;
rejectionReasons.push(`- ${reason}`);
reviewers.push(reviewer);
}
core.setOutput('rejectionReasons', rejectionReasons.join('\n'));
core.setOutput('reviewers', reviewers.join(', '));
{
echo 'rejectionReasons<<EOF'
echo "$rejectionReasons"
echo 'EOF'
echo "reviewers=$reviewers"
} >> "$GITHUB_OUTPUT"

- name: Post manual review failure comment and close PR and issue
run: |
gh issue comment "${{ inputs.issueNumber }}" --body "${{ env.body }}"
gh pr close "${{ needs.createPullRequest.outputs.pullRequestNumber }}"
gh branch delete ${{ env.branchName }} --remote --force
gh issue close "${{ inputs.issueNumber }}" --reason "not planned"
gh pr close "${{ needs.createPullRequest.outputs.pullRequestNumber }}"
git push origin --delete "${{ env.branchName }}"
env:
GH_TOKEN: ${{ github.token }}
body: |
Expand Down Expand Up @@ -517,6 +527,9 @@ jobs:
git config user.email "github-actions@github.com"
git fetch origin master
git merge origin/master --no-edit
git push --set-upstream origin ${{ env.branchName }}
# wait for a few seconds to ensure the PR is up to date before merging
sleep 3
Comment on lines +531 to +532

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is this necessary? git push is synchronous. This also seems very fragile.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was hoping this would fix whatever is causing #10139

gh pr merge --admin --squash ${{ env.branchName }} -b '[Automated] Merged ${{ needs.getAddonId.outputs.addonFileName }} into master (PR #${{ needs.createPullRequest.outputs.pullRequestNumber }})'
- name: Comment on issue confirming successful submission
env:
Expand Down
2 changes: 2 additions & 0 deletions docs/dev/submissionReview.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ The process for reviewing pending first submissions is as follows:
* Check for any obvious red flags with the repository i.e. it doesn't look structured as an add-on, inappropriate content in the readme, author and code only been around for a few days
* Ensure there is not a clash of add-on IDs by checking [submitters.json](../../submitters.json) for similar IDs.
1. Approve or deny the `submitterReview` deploy environment.
* If you are unsure, leave a comment outlining why the add-on is being left open and what's needed to decide how to process it.
Tag another member of NV Access for a second opinion if needed.
* When rejecting, the rejection message(s) are provided to the user as the closing reason(s).
The issue and PR will be closed.
Make sure to clarify any further information on the issue.
Expand Down
Loading