Skip to content

Commit c7654ee

Browse files
ToreMerkelyToreMerkely
authored
Moved get approver into separate action (#22)
1 parent f09f909 commit c7654ee

File tree

2 files changed

+116
-38
lines changed

2 files changed

+116
-38
lines changed

.github/actions/get-github-workflow-approver/action.yml

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
name: Get GitHub Workflow approver
2+
3+
# Gets the name of the person who has approved a workflow job
4+
# This is typically used to get the person who approved
5+
# deployment to an environment
6+
# The token needs access to the organizations audit-log
7+
# Go to the Developer's GitHub profile
8+
# -> Settings
9+
# -> Developer settings
10+
# -> Personal access tokens
11+
# -> New fine-grained personal access token
12+
# -> Generate new token
13+
# Token name: github-release-example-audit-log
14+
# Resource owner: kosli-dev
15+
# Expiration: one year
16+
# Description: Read audit log
17+
# Repository access: Only select repositories - kosli-dev/github-release-example
18+
# Permissions:
19+
# Organization permissions - Administration - Access: Read-only
20+
21+
inputs:
22+
gh-audit-log-reader-token:
23+
description: "GitHub token that gives you access to read the audit-log of the organization"
24+
required: true
25+
26+
outputs:
27+
approver:
28+
description: "Name of approver"
29+
value: ${{ steps.get-approver.outputs.approver }}
30+
31+
runs:
32+
using: "composite"
33+
steps:
34+
- name: Get approval actor from audit log
35+
id: get-approver
36+
shell: bash
37+
run: |
38+
API_URL="https://api.github.com/orgs/${{ github.repository_owner }}/audit-log"
39+
MAX_PAGES=5
40+
PER_PAGE=5
41+
APPROVER=""
42+
43+
for PAGE in $(seq 1 $MAX_PAGES); do
44+
echo "Checking page $PAGE..."
45+
curl -s -H "Authorization: Bearer ${{ inputs.gh-audit-log-reader-token }}" \
46+
-H "Accept: application/vnd.github+json" \
47+
--get \
48+
--data-urlencode "phrase=repo:${{ github.repository }}" \
49+
--data-urlencode "phrase=action:workflows.approve_workflow_job" \
50+
--data-urlencode "per_page=${PER_PAGE}" \
51+
--data-urlencode "page=${PAGE}" \
52+
"$API_URL" > audit.json
53+
54+
MATCH=$(jq -r --arg run_id ${{ github.run_id }} '
55+
.[] | select(.workflow_run_id == ($run_id | tonumber)) | .actor' audit.json)
56+
57+
if [[ -n "$MATCH" ]]; then
58+
echo "Found matching approval by: $MATCH"
59+
APPROVER="$MATCH"
60+
break
61+
fi
62+
done
63+
64+
if [[ -z "$APPROVER" ]]; then
65+
echo "No approval found for workflow_run_id: $WORKFLOW_RUN_ID"
66+
exit 1
67+
fi
68+
69+
echo "approver=$APPROVER" >> $GITHUB_OUTPUT

.github/workflows/build-deploy-backend.yml

Lines changed: 47 additions & 38 deletions
Original file line numberDiff line numberDiff line change
@@ -129,44 +129,54 @@ jobs:
129129
runs-on: ubuntu-latest
130130
steps:
131131
- name: Get approval actor from audit log
132-
env:
133-
GH_TOKEN: ${{ secrets.READ_AUDIT_LOG }}
134-
OWNER: kosli-dev
135-
REPO: github-release-example
136-
run: |
137-
API_URL="https://api.github.com/orgs/${OWNER}/audit-log"
138-
MAX_PAGES=5
139-
PER_PAGE=5
140-
APPROVER=""
141-
142-
for PAGE in $(seq 1 $MAX_PAGES); do
143-
echo "Checking page $PAGE..."
144-
curl -s -H "Authorization: Bearer ${GH_TOKEN}" \
145-
-H "Accept: application/vnd.github+json" \
146-
--get \
147-
--data-urlencode "phrase=repo:${OWNER}/${REPO}" \
148-
--data-urlencode "phrase=action:workflows.approve_workflow_job" \
149-
--data-urlencode "per_page=${PER_PAGE}" \
150-
--data-urlencode "page=${PAGE}" \
151-
"$API_URL" > audit.json
152-
153-
MATCH=$(jq -r --arg run_id ${{ github.run_id }} '
154-
.[] | select(.workflow_run_id == ($run_id | tonumber)) | .actor' audit.json)
155-
156-
if [[ -n "$MATCH" ]]; then
157-
echo "Found matching approval by: $MATCH"
158-
APPROVER="$MATCH"
159-
break
160-
fi
161-
done
162-
163-
if [[ -z "$APPROVER" ]]; then
164-
echo "No approval found for workflow_run_id: $WORKFLOW_RUN_ID"
165-
exit 1
166-
fi
132+
id: get-approver
133+
uses: ./.github/actions/get-github-workflow-approver
134+
with:
135+
gh-audit-log-reader-token: ${{ secrets.READ_AUDIT_LOG }}
167136

168-
echo "approver=$APPROVER" >> $GITHUB_OUTPUT
169-
echo "### Approval Actor for stage: $APPROVER" >> $GITHUB_STEP_SUMMARY
137+
- name: Debug
138+
run: |
139+
echo "### Approval Actor for stage: ${{ steps.get-approver.outputs.approver }}" >> $GITHUB_STEP_SUMMARY
140+
141+
# - name: Get approval actor from audit log
142+
# env:
143+
# GH_TOKEN: ${{ secrets.READ_AUDIT_LOG }}
144+
# OWNER: kosli-dev
145+
# REPO: github-release-example
146+
# run: |
147+
# API_URL="https://api.github.com/orgs/${OWNER}/audit-log"
148+
# MAX_PAGES=5
149+
# PER_PAGE=5
150+
# APPROVER=""
151+
#
152+
# for PAGE in $(seq 1 $MAX_PAGES); do
153+
# echo "Checking page $PAGE..."
154+
# curl -s -H "Authorization: Bearer ${GH_TOKEN}" \
155+
# -H "Accept: application/vnd.github+json" \
156+
# --get \
157+
# --data-urlencode "phrase=repo:${OWNER}/${REPO}" \
158+
# --data-urlencode "phrase=action:workflows.approve_workflow_job" \
159+
# --data-urlencode "per_page=${PER_PAGE}" \
160+
# --data-urlencode "page=${PAGE}" \
161+
# "$API_URL" > audit.json
162+
#
163+
# MATCH=$(jq -r --arg run_id ${{ github.run_id }} '
164+
# .[] | select(.workflow_run_id == ($run_id | tonumber)) | .actor' audit.json)
165+
#
166+
# if [[ -n "$MATCH" ]]; then
167+
# echo "Found matching approval by: $MATCH"
168+
# APPROVER="$MATCH"
169+
# break
170+
# fi
171+
# done
172+
#
173+
# if [[ -z "$APPROVER" ]]; then
174+
# echo "No approval found for workflow_run_id: $WORKFLOW_RUN_ID"
175+
# exit 1
176+
# fi
177+
#
178+
# echo "approver=$APPROVER" >> $GITHUB_OUTPUT
179+
# echo "### Approval Actor for stage: $APPROVER" >> $GITHUB_STEP_SUMMARY
170180

171181
semver-tag:
172182
needs: [build,deploy-stage]
@@ -277,5 +287,4 @@ jobs:
277287
exit 1
278288
fi
279289
280-
echo "approver=$APPROVER" >> $GITHUB_OUTPUT
281290
echo "### Approval Actor for production: $APPROVER" >> $GITHUB_STEP_SUMMARY

0 commit comments

Comments
 (0)