sm-renovate/actions/renovate-approve/action.yaml at 27c07eca8eebdb19d015e2dd20d062536da43ee0 · grafana/sm-renovate · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
name: Approve renovate PRs
description: Approve renovate PRs

inputs:
  renovate-user:
    description: Username for the author of the PR to autoapprove.
    default: 'grafanarenovatebot[bot]'
  require-auto-merge:
    description: Only autoapprove PRs where automerge has been requested.
    default: "false"
  forbid-auto-merge:
    description: Never autoapprove PRs where automerge has been requested.
    default: "false"
runs:
  using: composite
  steps:
    # Workflows using this action MUST implement appropriate as coumented in the examples. The action performs the
    # checks again for sanity.
    - name: Sanity check
      shell: bash
      if: >-
          ${{ ! (
            github.event_name == 'pull_request'
            && github.event.pull_request.user.login == inputs.renovate-user
            && github.repository == github.event.pull_request.head.repo.full_name
          ) }}
      run: |-
        echo "Auto-approve action called in an invalid context, refusing to continue"
        exit 1

    - name: Retrieve secrets
      id: get-secrets
      uses: grafana/shared-workflows/actions/get-vault-secrets@f1614b210386ac420af6807a997ac7f6d96e477a # get-vault-secrets/v1.3.1
      with:
        export_env: false
        common_secrets: |
          SM_APPROVER_APP_ID=sm-approver-app:client-id
          SM_APPROVER_PRIVATE_KEY=sm-approver-app:private-key

    - name: Create GitHub app token
      id: app-token
      uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3
      with:
        app-id: ${{ fromJSON(steps.get-secrets.outputs.secrets).SM_APPROVER_APP_ID }}
        private-key: ${{ fromJSON(steps.get-secrets.outputs.secrets).SM_APPROVER_PRIVATE_KEY }}

    - name: Approve PR
      shell: bash
      env:
        GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
        PR_URL: ${{ github.event.pull_request.html_url }}
        REQUIRE_AUTOMERGE: ${{ inputs.require-auto-merge }}
        FORBID_AUTOMERGE: ${{ inputs.forbid-auto-merge }}
      run: |-
        set -eo pipefail

        prjson=$(mktemp --suffix=.json)
        gh pr view "${PR_URL}" --json isCrossRepository,reviewDecision,autoMergeRequest > "${prjson}"

        echo "Checking if PR is cross repository"
        if jq -e '.isCrossRepository == true' "${prjson}"; then
          # This should never happen as per the job condition, but better be sure.
          echo "Refusing to approve a cross-repository PR"
          exit 1
        fi

        echo "Checking if PR is already approved"
        if jq -e '.reviewDecision == "APPROVED"' "${prjson}"; then
          echo "PR already approved"
          exit 0
        fi

        echo "Checking if automerge was requested"

        if [[ "$REQUIRE_AUTOMERGE" == 'true' ]] && jq -e '.autoMergeRequest == null' "${prjson}"; then
          echo "Not approving PR where automerge was not requested"
          exit 0
        fi

        if [[ "$FORBID_AUTOMERGE" == 'true' ]] && jq -e '.autoMergeRequest != null' "${prjson}"; then
          echo "Not approving PR where automerge was requested"
          exit 0
        fi

        echo "Approving PR"
        gh pr review "$PR_URL" --approve