doc-2458: notify slack error fix (#9123)

Linus-SpectroCloud · web-flow · commit c08d2cfd6175 · 2026-01-08T15:14:36.000-04:00
* doc-2458: notify slack error fix

* doc-2458: making script run on ready-for-review and label

* doc-2458: reverting notify-slack to original until figure out 403 error
diff --git a/.github/workflows/GHA-ready-for-review.yaml b/.github/workflows/GHA-ready-for-review.yaml
@@ -1,25 +1,21 @@
-# This workflow posts to Slack when a PR is labeled with "notify-slack".
-# It notifies reviewers based on each reviewer's local-time window from reviewers.json.
-# It also prevents multiple Slack notifications for the same PR using a hidden PR comment marker.
-#
-# SECURITY NOTE:
-# - This workflow uses pull_request_target so it can comment on PRs from forks.
-# - Do NOT checkout the PR head in this workflow. This file intentionally does not use actions/checkout.
-# "Notify once" semantics: we create a marker comment FIRST (lock). If we can't write the marker,
-# we refuse to notify to avoid duplicate Slack notifications.
-
-name: Ready for Review Slack Notification
-
-'on':
-  pull_request_target:
+# This workflow will post to Slack when a PR is labeled with "notify-slack". 
+# It will notify the appropriate reviewers based on the current UTC hour.
+# It also ensures that Slack is not notified multiple times for the same PR.
+# The reviewers are defined in a Base64 encoded JSON file stored in a GitHub secret.
+# After notifying, it records the notification in the PR comments and securely deletes the reviewers file.
+# The workflow is designed to be efficient and secure, ensuring that sensitive information is handled properly.
+
+name: Ready for Review
+
+on:
+  pull_request:
     types: [labeled]
 
 permissions:
-  issues: write
-  pull-requests: read
+  pull-requests: write
 
 concurrency:
-  group: readyforreviewci-pr-${{ github.event.pull_request.number }}
+  group: readyforreviewci-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
@@ -28,141 +24,68 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      # SECURITY: Intentionally no checkout. Do NOT checkout PR head in pull_request_target workflows.
-
-      - name: Decode reviewers.json secret
-        env:
-          REVIEWERS_JSON_B64: ${{ secrets.REVIEWER_CONFIG_B64 }}
-        run: |
-          echo "::group::Decode reviewer config"
-          if [ -z "${REVIEWERS_JSON_B64:-}" ]; then
-            echo "::warning::REVIEWER_CONFIG_B64 secret is empty or not set; no reviewers will be selected."
-            echo "{}" > reviewers.json
-          else
-            echo "$REVIEWERS_JSON_B64" | base64 --decode > reviewers.json || {
-              echo "::warning::Failed to decode REVIEWER_CONFIG_B64; no reviewers will be selected."
-              echo "{}" > reviewers.json
-            }
-          fi
-          echo "::endgroup::"
-
-      - name: Check if Slack was already notified (marker comment)
+      - name: Check for prior Slack notification comment
         id: check
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          MARKER: "<!-- slack-notified -->"
         run: |
-          echo "::group::Check marker comment"
-          COMMENTS_JSON="$(curl -fsSL             -H "Authorization: Bearer $GH_TOKEN"             -H "Accept: application/vnd.github+json"             "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments")"
+          COMMENTS=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+            https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments)
 
-          COMMENT_ID="$(echo "$COMMENTS_JSON" | jq -r --arg m "$MARKER" '
-            [.[] | select(.body // "" | contains($m)) | .id][0] // ""')"
+          COMMENT_ID=$(echo "$COMMENTS" | jq '.[] | select(.body | contains("<!-- slack-notified -->")) | .id')
 
           if [ -n "$COMMENT_ID" ]; then
-            echo "notified=true" >> "$GITHUB_OUTPUT"
-            echo "comment_id=$COMMENT_ID" >> "$GITHUB_OUTPUT"
-            echo "::notice::Found marker comment id: $COMMENT_ID"
+            echo "Slack already notified."
+            echo "notified=true" >> $GITHUB_OUTPUT
+            echo "comment_id=$COMMENT_ID" >> $GITHUB_OUTPUT
           else
-            echo "notified=false" >> "$GITHUB_OUTPUT"
-            echo "comment_id=" >> "$GITHUB_OUTPUT"
-            echo "::notice::No marker comment found."
+            echo "notified=false" >> $GITHUB_OUTPUT
           fi
-          echo "::endgroup::"
 
-      - name: Acquire notify lock (create marker comment if missing)
+      - name: Exit if already notified
+        if: steps.check.outputs.notified == 'true'
+        continue-on-error: true
+        run: echo "Slack already notified — skipping remaining steps."
+
+      - name: Decode reviewer config (Base64)
         if: steps.check.outputs.notified == 'false'
-        id: lock
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          MARKER: "<!-- slack-notified -->"
+        id: config
         run: |
-          echo "::group::Acquire notify lock"
-          TIMESTAMP="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
-          BODY=$'🟡 Slack notification locked at '"$TIMESTAMP"$'\n\n'"$MARKER"
-
-          RESP="$(curl -fsSL -X POST             -H "Authorization: Bearer $GH_TOKEN"             -H "Accept: application/vnd.github+json"             -d "$(jq -nc --arg body "$BODY" '{body: $body}')"             "https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments")"
-
-          COMMENT_ID="$(echo "$RESP" | jq -r '.id // ""')"
-          if [ -z "$COMMENT_ID" ]; then
-            echo "::error::Failed to create marker comment; refusing to notify to avoid duplicates."
-            exit 1
-          fi
-
-          echo "comment_id=$COMMENT_ID" >> "$GITHUB_OUTPUT"
-          echo "::notice::Notify lock acquired with comment id: $COMMENT_ID"
-          echo "::endgroup::"
+          echo "${{ secrets.REVIEWER_CONFIG_B64 }}" | base64 -d > reviewers.json
 
       - name: Choose Reviewers From Config
-        if: steps.lock.outputs.comment_id != ''
+        if: steps.check.outputs.notified == 'false'
         id: pick
         run: |
-          echo "::group::Select reviewers"
-          to_minutes () {
-            local t="$1"
-            if [[ "$t" == *:* ]]; then
-              local hh="${t%%:*}"
-              local mm="${t##*:}"
-              echo $((10#$hh * 60 + 10#$mm))
-            else
-              # Back-compat: integer hour => HH:00
-              echo $((10#$t * 60))
-            fi
-          }
-
-          now_in_tz () {
-            local tz="$1"
-            local hh mm day
-            hh=$(TZ="$tz" date +%H)
-            mm=$(TZ="$tz" date +%M)
-            day=$(TZ="$tz" date +%a | tr '[:upper:]' '[:lower:]')
-            echo "$((10#$hh * 60 + 10#$mm)) $day $hh $mm"
-          }
+          HOUR=$(date -u +'%H')
+          DAY=$(date -u +%a | tr '[:upper:]' '[:lower:]')
+          echo "UTC Hour: $HOUR | Day: $DAY"
 
           REVIEWERS=""
 
-          for reviewer in $(jq -r 'keys[]' reviewers.json 2>/dev/null || true); do
-            START_RAW=$(jq -r "."$reviewer".start" reviewers.json 2>/dev/null || echo "")
-            END_RAW=$(jq -r "."$reviewer".end" reviewers.json 2>/dev/null || echo "")
-            SLACK_ID=$(jq -r "."$reviewer".slack_id" reviewers.json 2>/dev/null || echo "")
-            TZID=$(jq -r "."$reviewer".tz // "UTC"" reviewers.json 2>/dev/null || echo "UTC")
-
-            if [ -z "$START_RAW" ] || [ -z "$END_RAW" ] || [ -z "$SLACK_ID" ]; then
-              echo "::warning::Reviewer '$reviewer' missing required fields (start/end/slack_id); skipping."
-              continue
-            fi
-
-            read -r NOW_MIN DAY HH MM <<< "$(now_in_tz "$TZID")"
-            echo "Reviewer: $reviewer | TZ: $TZID | Local: ${HH}:${MM} | Day: $DAY"
+          for reviewer in $(jq -r 'keys[]' reviewers.json); do
+            START=$(jq -r ".\"$reviewer\".start" reviewers.json)
+            END=$(jq -r ".\"$reviewer\".end" reviewers.json)
+            SLACK_ID=$(jq -r ".\"$reviewer\".slack_id" reviewers.json)
 
-            if jq -e "."$reviewer".days" reviewers.json > /dev/null 2>&1; then
-              DAYS=$(jq -r "."$reviewer".days[]" reviewers.json 2>/dev/null | tr '\n' ' ')
+            if jq -e ".\"$reviewer\".days" reviewers.json > /dev/null; then
+              DAYS=$(jq -r ".\"$reviewer\".days[]" reviewers.json | tr '\n' ' ')
               [[ "$DAYS" != *"$DAY"* ]] && continue
             fi
 
-            START_MIN=$(to_minutes "$START_RAW")
-            END_MIN=$(to_minutes "$END_RAW")
-
-            if [ "$NOW_MIN" -ge "$START_MIN" ] && [ "$NOW_MIN" -lt "$END_MIN" ]; then
+            if [ "$HOUR" -ge "$START" ] && [ "$HOUR" -lt "$END" ]; then
               REVIEWERS+="<@$SLACK_ID> "
             fi
           done
 
           if [ -z "$REVIEWERS" ]; then
             REVIEWERS="<!here> _(No reviewers available — notifying team)_"
-            echo "::notice::No reviewers matched availability window; using <!here>."
-          else
-            echo "::notice::Selected reviewers: $REVIEWERS"
           fi
 
-          echo "reviewers=$REVIEWERS" >> "$GITHUB_OUTPUT"
-          echo "::endgroup::"
+          echo "reviewers=$REVIEWERS" >> $GITHUB_OUTPUT
 
       - name: Notify Slack
-        if: steps.lock.outputs.comment_id != ''
-        continue-on-error: true
+        if: steps.check.outputs.notified == 'false'
         uses: rtCamp/action-slack-notify@v2.3.3
         env:
-          REVIEWERS: ${{ steps.pick.outputs.reviewers }}
           SLACK_WEBHOOK: ${{ secrets.SLACK_PRIVATE_TEAM_WEBHOOK }}
           SLACK_USERNAME: "spectromate"
           SLACK_ICON_EMOJI: ":robot_panic:"
@@ -171,42 +94,43 @@ jobs:
             :review: *<${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}>* is ready for review!
             Pinging: ${{ steps.pick.outputs.reviewers }}
 
-      - name: Finalize marker comment
-        if: steps.lock.outputs.comment_id != ''
-        continue-on-error: true
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          MARKER: "<!-- slack-notified -->"
+      - name: Create or Update Slack comment manually
+        if: steps.check.outputs.notified == 'false'
         run: |
-          echo "::group::Finalize marker comment"
-          TIMESTAMP="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"
-          BODY=$'✅ Slack notification attempted at '"$TIMESTAMP"$'\n\n'"$MARKER"
-          COMMENT_ID="${{ steps.lock.outputs.comment_id }}"
-
-          curl -fsSL -X PATCH             -H "Authorization: Bearer $GH_TOKEN"             -H "Accept: application/vnd.github+json"             -d "$(jq -nc --arg body "$BODY" '{body: $body}')"             "https://api.github.com/repos/${{ github.repository }}/issues/comments/$COMMENT_ID" > /dev/null             || echo "::warning::Failed to finalize marker comment ($COMMENT_ID)"
-          echo "::endgroup::"
+          TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+          BODY="✅ Slack reviewers notified at $TIMESTAMP \n <!-- slack-notified -->"
+
+          if [ -n "${{ steps.check.outputs.comment_id }}" ]; then
+            echo "Updating existing comment..."
+            curl -s -X PATCH -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+              -H "Accept: application/vnd.github.v3+json" \
+              -d "$(jq -nc --arg body "$BODY" '{body: $body}')" \
+              https://api.github.com/repos/${{ github.repository }}/issues/comments/${{ steps.check.outputs.comment_id }}
+          else
+            echo "Creating new comment..."
+            curl -s -X POST -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
+              -H "Accept: application/vnd.github.v3+json" \
+              -d "$(jq -nc --arg body "$BODY" '{body: $body}')" \
+              https://api.github.com/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments
+          fi
 
       - name: Securely overwrite and delete reviewers.json
         if: always()
         run: |
-          echo "::group::Cleanup"
           if [ -f reviewers.json ]; then
             echo "Shredding reviewers.json"
-            dd if=/dev/urandom of=reviewers.json bs=1 count=$(stat -c%s reviewers.json) conv=notrunc status=none || true
-            rm -f reviewers.json || true
-            echo "Cleanup complete."
+            dd if=/dev/urandom of=reviewers.json bs=1 count=$(stat -c%s reviewers.json) conv=notrunc status=none
+            rm -f reviewers.json
+            echo "Secure deletion complete."
           else
             echo "No reviewers.json file to delete."
           fi
-          echo "::endgroup::"
 
       - name: Final Job Status Summary
         if: always()
         run: |
           if [ "${{ steps.check.outputs.notified }}" == "true" ]; then
-            echo "✅ Job completed: Slack was already notified (marker comment exists)."
-          elif [ -n "${{ steps.lock.outputs.comment_id }}" ]; then
-            echo "✅ Job completed: Notify lock acquired; Slack notification attempted."
+            echo "✅ Job completed: Slack was already notified (comment updated if needed)."
           else
-            echo "ℹ️ Job completed: No lock acquired (likely already notified or skipped)."
+            echo "✅ Job completed: Slack notification was posted successfully."
           fi
