Disable review approval portion of downstream change check (#449)

dcandler · web-flow · commit 5522f06d57fe · 2025-07-29T14:54:31.000+01:00
The default access token used in GitHub Actions workflows does not have
the required permissions to see the list of team members, which exists
outside of the arm-toolchain repo at the arm org level. As a result,
attempting to check which teams have reviewed a pull request will
currently cause an error.

For now, remove the check until it can be reworked. Since there will no
longer be a hard gated check on whether a pull request has been
sufficiently reviewed, the automated comment has been updated to remind
to wait for both teams before merging.
diff --git a/.github/workflows/check_downstream_changes.yml b/.github/workflows/check_downstream_changes.yml
@@ -23,19 +23,15 @@ on:
       - reopened
       - edited
       - synchronize
-  # Trigger whenever a pull request is reviewed to check which
-  # teams have approved.
-  pull_request_review:
-    types:
-      - submitted
-      - edited
-      - dismissed
+    branches:
+      - arm-software
+      - release/arm-software/**
 
 jobs:
   check-downstream-changes:
     runs-on: ubuntu-24.04-arm
 
-    if: github.repository == 'arm/arm-toolchain' && (github.event.pull_request.base.ref == 'arm-software' || startsWith(github.event.pull_request.base.ref, 'release/arm-software/'))
+    if: github.repository == 'arm/arm-toolchain'
 
     steps:
       - name: Checkout
diff --git a/arm-software/ci/check_downstream_changes.py b/arm-software/ci/check_downstream_changes.py
@@ -9,8 +9,7 @@
 A script to check that a pull request adheres to the downstream patch policy.
 If the pull request modifies file outside the arm-software build directory
 (or any other files excluded from automerge) then the pull request needs to
-contain specific text to link to a downstream tracking issue, and requires
-additional reviews.
+contain specific text to link to a downstream tracking issue.
 
 Requires the GitHub CLI tool (gh) to query the repo.
 """
@@ -30,10 +29,8 @@
 logger = logging.getLogger(__name__)
 
 MERGE_IGNORE_PATHSPEC_FILE = Path(__file__).parent / ".automerge_ignore"
-ARM_ORG_NAME = "arm"
-REQUIRED_TEAM_APPROVALS = {"arm-toolchain-embedded", "arm-toolchain-linux"}
 HELP_COMMENT_TEXT = """This pull review modifies files outside of the `arm-software` directory, so please ensure it follows the [Downstream Patch Policy](https://github.com/arm/arm-toolchain/blob/arm-software/CONTRIBUTING.md#downstream-patch-policy).
-An automated check will test if the tagging requirements have been met. In addition, approved reviews from both Arm Toolchain for Embedded and Arm Toolchain for Linux teams will be required before this check will pass."""
+An automated check will test if the tagging requirements have been met. Please wait for approving reviews from both Arm Toolchain for Embedded and Arm Toolchain for Linux teams before merging."""
 DOWNSTREAM_CHANGE_LABEL = "downstream-change"
 
 
@@ -69,7 +66,7 @@ def get_pr_json(pr_num: str, repo: str) -> dict:
         "--repo",
         repo,
         "--json",
-        "body,comments,files,labels,reviews,title",
+        "body,comments,files,labels,title",
     ]
     logger.debug(f"Running `{shlex.join(args)}`")
     try:
@@ -91,70 +88,6 @@ def get_pr_json(pr_num: str, repo: str) -> dict:
     return j
 
 
-# Use the api to get a list of members for a team.
-def get_team_members(org: str, team_name: str) -> set:
-    args = [
-        "gh",
-        "api",
-        "-H",
-        "Accept: application/vnd.github+json",
-        "-H",
-        "X-GitHub-Api-Version: 2022-11-28",
-        f"/orgs/{org}/teams/{team_name}/members",
-    ]
-    logger.debug(f"Running `{shlex.join(args)}`")
-    try:
-        p = subprocess.run(
-            args,
-            check=True,
-            capture_output=True,
-            text=True,
-        )
-    except subprocess.CalledProcessError as error:
-        logger.error(
-            f"Check error. Failure fetching team members\ncmd:{shlex.join(error.cmd)}\ncode:{error.returncode}\nstdout:{error.stdout}\nstderr:{error.stderr}"
-        )
-        sys.exit(1)
-    j = json.loads(p.stdout)
-    logger.debug(
-        f"Response from server for team {team_name}:\n{json.dumps(j, indent=4)}"
-    )
-    return j
-
-
-# Check that a pull review has approving reviews from a set of teams.
-def has_required_reviews(input_json: dict, teams_required: set[str]) -> bool:
-    # Get the members of each time, and map to their logins.
-    login_lookup = dict()
-    for team_name in teams_required:
-        team_json = get_team_members(ARM_ORG_NAME, team_name)
-        for entry in team_json:
-            # This assumes a user can't belong to both teams.
-            login_lookup[entry["login"]] = team_name
-
-    # Get the corresponding team for each approved review.
-    teams_remaining = teams_required.copy()
-    for review in input_json["reviews"]:
-        if review["state"] == "APPROVED":
-            reviewer_login = review["author"]["login"]
-            if reviewer_login in login_lookup:
-                reviewer_team = login_lookup[reviewer_login]
-                logger.info(
-                    f"Pull request has been approved by {reviewer_login} from the {reviewer_team} team."
-                )
-                if reviewer_team in teams_remaining:
-                    teams_remaining.remove(reviewer_team)
-
-    if len(teams_remaining) == 0:
-        logger.info("Pull request has been reviewed by all required teams.")
-        return True
-    else:
-        logger.info(
-            f"Pull request has not been reviewed by all required teams, missing: {teams_remaining}."
-        )
-        return False
-
-
 # Check that a value matches a valid issue.
 def is_valid_issue_num(issue_num: str, repo: str) -> bool:
     args = [
@@ -392,16 +325,10 @@ def main():
                 sys.exit(1)
             else:
                 add_issue_label(args.pr, args.repo, pr_json)
-                if has_required_reviews(pr_json, REQUIRED_TEAM_APPROVALS):
-                    logger.info(
-                        f"Check passed. Pull request #{args.pr} contains downstream changes, a correctly formatted link to a downstream tracking issue, and has been reviewed by both teams."
-                    )
-                    sys.exit(0)
-                else:
-                    logger.info(
-                        f"Check failed. Pull request #{args.pr} contains downstream changes, and a correctly formatted link to a downstream tracking issue, but has not been reviewed by both teams."
-                    )
-                    sys.exit(1)
+                logger.info(
+                    f"Check passed. Pull request #{args.pr} contains downstream changes, and a correctly formatted link to a downstream tracking issue."
+                )
+                sys.exit(0)
     else:
         if issue_num is None:
             logger.info(
