Migrate surrogates and tracker blocking scripts from native Apple #1620
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Review Validation | |
| on: | |
| pull_request_review: | |
| types: [submitted, dismissed] | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| merge_group: | |
| permissions: | |
| contents: read | |
| pull-requests: read | |
| statuses: write | |
| jobs: | |
| review_validation: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Merge queue pass-through | |
| if: ${{ github.event_name == 'merge_group' }} | |
| run: echo "Review already validated before entering merge queue" | |
| - name: Checkout base branch | |
| if: ${{ github.event_name != 'merge_group' }} | |
| uses: actions/checkout@v6 | |
| with: | |
| ref: ${{ github.event.pull_request.base.ref }} | |
| sparse-checkout: | | |
| .github/REQUIRED_TEAMS | |
| .github/scripts | |
| sparse-checkout-cone-mode: false | |
| - name: Validate approved review from authorized reviewer | |
| if: ${{ github.event_name != 'merge_group' }} | |
| uses: actions/github-script@v8 | |
| env: | |
| ORG_TOKEN: ${{ secrets.DAX_PAT }} | |
| with: | |
| script: | | |
| const { loadRequiredTeams, findAuthorizedApproval } = await import(`${process.cwd()}/.github/scripts/review-helpers.mjs`); | |
| const teams = loadRequiredTeams(); | |
| const sha = context.payload.pull_request.head.sha; | |
| const repo = { owner: context.repo.owner, repo: context.repo.repo }; | |
| const teamsList = teams.map(t => `@duckduckgo/${t}`).join(', '); | |
| async function setReviewStatus({ state, description }) { | |
| await github.rest.repos.createCommitStatus({ | |
| ...repo, | |
| sha, | |
| state, | |
| context: 'Authorized Review', | |
| description: description.substring(0, 140) | |
| }); | |
| } | |
| let approval; | |
| try { | |
| approval = await findAuthorizedApproval(github, { | |
| ...repo, | |
| prNumber: context.payload.pull_request.number, | |
| org: 'duckduckgo', | |
| teams, | |
| orgToken: process.env.ORG_TOKEN || undefined | |
| }); | |
| } catch (error) { | |
| const msg = error.status === 401 | |
| ? 'DAX_PAT returned 401 — token may be expired or misconfigured' | |
| : `Review validation failed: ${error.message} (status: ${error.status ?? 'unknown'})`; | |
| await setReviewStatus({ state: 'error', description: msg }); | |
| core.setFailed(msg); | |
| return; | |
| } | |
| if (approval) { | |
| const via = approval.team ? `(member of ${approval.team})` : ''; | |
| const desc = `Approved by ${approval.user} ${via}`.trim(); | |
| await setReviewStatus({ state: 'success', description: desc }); | |
| core.info(`✅ ${desc}`); | |
| } else { | |
| await setReviewStatus({ | |
| state: 'pending', | |
| description: `Waiting for approval. Required teams: ${teamsList}` | |
| }); | |
| core.info('⏳ No approval yet — commit status set to pending'); | |
| } |