Add GitHub Action to enforce architect approval for strict version pins #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check for Strict Version Pins | |
| on: | |
| pull_request: | |
| paths: | |
| - 'sdk/**/setup.py' | |
| - 'sdk/**/pyproject.toml' | |
| permissions: | |
| pull-requests: write | |
| contents: read | |
| jobs: | |
| check-strict-pins: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Fetch base branch | |
| run: | | |
| git fetch origin ${{ github.base_ref }} | |
| - name: Check for strict version pins | |
| id: check-pins | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| REPO: ${{ github.repository }} | |
| BASE_REF: origin/${{ github.base_ref }} | |
| HEAD_REF: ${{ github.sha }} | |
| run: | | |
| python .github/scripts/check_strict_pins.py | |
| - name: Comment on PR if strict pins found | |
| if: steps.check-pins.outputs.strict_pins_found == 'true' | |
| uses: actions/github-script@v7 | |
| with: | |
| script: | | |
| const strictPins = `${{ steps.check-pins.outputs.strict_pins_details }}`; | |
| const architectApproved = `${{ steps.check-pins.outputs.architect_approved }}`; | |
| let message = '## ⚠️ Strict Version Pin Detected\n\n'; | |
| message += 'This PR introduces one or more strict version pins (`==`) in main runtime dependencies:\n\n'; | |
| message += '```\n' + strictPins + '\n```\n\n'; | |
| if (architectApproved === 'true') { | |
| message += '✅ An architect has approved this PR.\n'; | |
| } else { | |
| message += '❌ **This PR requires approval from one of the following architects:**\n'; | |
| message += '- @kashifkhan\n'; | |
| message += '- @annatisch\n'; | |
| message += '- @johanste\n\n'; | |
| message += 'Please request a review from one of these architects before merging.\n'; | |
| } | |
| // Check if comment already exists | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| }); | |
| const botComment = comments.find(comment => | |
| comment.user.type === 'Bot' && | |
| comment.body.includes('Strict Version Pin Detected') | |
| ); | |
| if (botComment) { | |
| await github.rest.issues.updateComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: botComment.id, | |
| body: message | |
| }); | |
| } else { | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| body: message | |
| }); | |
| } | |
| - name: Block merge if architect approval required | |
| if: steps.check-pins.outputs.strict_pins_found == 'true' && steps.check-pins.outputs.architect_approved == 'false' | |
| run: | | |
| echo "::error::Strict version pins detected without architect approval" | |
| echo "This PR introduces strict version pins (==) in main runtime dependencies." | |
| echo "Approval required from: kashifkhan, annatisch, or johanste" | |
| exit 1 | |
| - name: Success - No strict pins or approved | |
| if: steps.check-pins.outputs.strict_pins_found == 'false' || steps.check-pins.outputs.architect_approved == 'true' | |
| run: | | |
| if [ "${{ steps.check-pins.outputs.strict_pins_found }}" == "true" ]; then | |
| echo "✅ Strict version pins detected but architect has approved" | |
| else | |
| echo "✅ No new strict version pins detected in main runtime dependencies" | |
| fi |