-
Notifications
You must be signed in to change notification settings - Fork 32
108 lines (97 loc) · 3.98 KB
/
gh-workflow-approve.yml
File metadata and controls
108 lines (97 loc) · 3.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
---
name: Approve Workflow Runs
permissions:
actions: write
contents: read
on:
pull_request_target:
types:
- labeled
- synchronize
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.number }}
cancel-in-progress: true
jobs:
ok-to-test:
if: |
github.event.pull_request.author_association == 'MEMBER' ||
github.event.pull_request.author_association == 'OWNER' ||
github.event.pull_request.author_association == 'COLLABORATOR' ||
github.event.pull_request.user.login == 'dependabot[bot]' ||
contains(github.event.pull_request.labels.*.name, 'ok-to-test')
runs-on: ubuntu-24.04
steps:
- name: Check if author is trusted
id: trust-check
shell: bash
env:
AUTHOR_ASSOCIATION: ${{ github.event.pull_request.author_association }}
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
echo "::group::PR Information"
echo "PR Number: #$PR_NUMBER"
echo "PR Author: $PR_AUTHOR"
echo "Author Association: $AUTHOR_ASSOCIATION"
echo "::endgroup::"
# Trusted bot logins — keep in sync with the job-level 'if' condition above.
TRUSTED_BOTS=("dependabot[bot]")
is_trusted_bot() {
local login="$1"
for bot in "${TRUSTED_BOTS[@]}"; do
[[ "$bot" == "$login" ]] && return 0
done
return 1
}
if [[ "$AUTHOR_ASSOCIATION" == "MEMBER" || \
"$AUTHOR_ASSOCIATION" == "OWNER" || \
"$AUTHOR_ASSOCIATION" == "COLLABORATOR" ]]; then
echo "::notice::Author '$PR_AUTHOR' is a trusted contributor (association: $AUTHOR_ASSOCIATION)."
echo "is_trusted=true" >> "$GITHUB_OUTPUT"
elif is_trusted_bot "$PR_AUTHOR"; then
echo "::notice::Author '$PR_AUTHOR' is a trusted bot."
echo "is_trusted=true" >> "$GITHUB_OUTPUT"
else
echo "::notice::Author '$PR_AUTHOR' is not a trusted contributor (association: $AUTHOR_ASSOCIATION)."
echo "::notice::Checking for 'ok-to-test' label."
echo "is_trusted=false" >> "$GITHUB_OUTPUT"
fi
- name: Approve Pending Workflow Runs
if: |
steps.trust-check.outputs.is_trusted == 'true' ||
contains(github.event.pull_request.labels.*.name, 'ok-to-test')
uses: actions/github-script@v8
with:
retries: 3
script: |
const request = {
owner: context.repo.owner,
repo: context.repo.repo,
event: "pull_request",
status: "action_required",
head_sha: context.payload.pull_request.head.sha,
};
core.info(`Getting workflow runs that need approval for commit ${request.head_sha}`);
const runs = await github.paginate(github.rest.actions.listWorkflowRunsForRepo, request, (resp) => resp.data);
core.info(`Found ${runs.length} workflow runs that need approval`);
let failures = 0;
for (const run of runs) {
try {
core.info(`Approving workflow run ${run.id}`);
await github.rest.actions.approveWorkflowRun({
owner: context.repo.owner,
repo: context.repo.repo,
run_id: run.id,
});
} catch (error) {
if (error.status === 404 || error.status === 422) {
core.warning(`Run ${run.id} could not be approved (HTTP ${error.status}). It may have already been processed.`);
} else {
core.error(`Unexpected error approving run ${run.id}: ${error.message}`);
failures++;
}
}
}
if (failures > 0) {
core.setFailed(`Failed to approve ${failures} workflow run(s)`);
}