pr-approval-check/action.yml at main · trufflesecurity/pr-approval-check · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: "PR Approval Check"
description: "Require an approval from a specific org team on pull requests"
author: "Truffle Security"
branding:
  icon: check-circle
  color: green

inputs:
  org:
    description: "GitHub organization that owns the approver team"
    required: false
    default: "trufflesecurity"
  approver_team:
    description: "Team slug that must approve (e.g. product-eng)"
    required: false
    default: "product-eng"
  github_token:
    description: "Token with permission to read PRs and write commit statuses"
    required: true
  owner:
    description: "Owner of the repository being evaluated"
    required: false
    default: "trufflesecurity"
  repo:
    description: "Github respository for which to check approvers"
    required: true
  head:
    description: "Head sha of the pull request"
    required: true
  number:
    description: "Pull request number"
    required: true

runs:
  using: "composite"
  steps:
    - name: Check for Product Engineering approval
      uses: actions/github-script@v7
      env:
        OWNER: ${{ inputs.owner }}
        ORG: ${{ inputs.org }}
        TEAM: ${{ inputs.approver_team }}
        REPO: ${{ inputs.repo }}
        HEAD: ${{ inputs.head }}
        NUMBER: ${{ inputs.number }}
      with:
        github-token: ${{ inputs.github_token }}
        script: |
          const { REPO, OWNER, ORG, TEAM, HEAD, NUMBER } = process.env
          const prettyTeamName = `@${ORG}/${TEAM}`

          console.log(github.event)

          console.log("REPO", REPO)
          console.log("OWNER",OWNER)
          console.log("ORG",ORG)
          console.log("TEAM",TEAM)
          console.log("HEAD",HEAD)
          console.log("NUMBER",NUMBER)

          async function status(state, msg) {
            await github.rest.repos.createCommitStatus({
              owner: OWNER,
              repo: REPO,
              sha: HEAD,
              state,
              context: 'pr-approval-check',
              description: msg,
            });
          }

          async function fail(msg) {
            core.setOutput('result', msg);
            console.error(msg)
            await status('failure', msg)
            process.exit(0);
          }

          async function succeed(msg) {
            core.setOutput('result', msg);
            console.info(msg)
            await status('success', msg)
            process.exit(0);
          }

          async function fatal(msg) {
            core.setFailed(msg);
            console.error(msg)
            await status('failure', msg)
            process.exit(1);
          }

          // Start as pending
          await status('pending', `Waiting for approval from ${prettyTeamName} team member`)

          // Map reviewer login -> latest review object
          let reviews = new Map();
          try {
            const iter = github.paginate.iterator(
              github.rest.pulls.listReviews,
              {
                owner: OWNER,
                repo: REPO,
                pull_number: NUMBER,
              }
            );

            const latestReview = (a, b) =>
              new Date(a.submitted_at) > new Date(b.submitted_at) ? a : b;

            for await (const page of iter) {
              for (const review of page.data) {
                const login = review.user.login;
                reviews.set(
                  login,
                  reviews.has(login) ? latestReview(reviews.get(login), review) : review
                );
              }
            }
          } catch (error) {
            await fatal(`⚠️ Could not get reviews: ${error.status}`);
          }

          let approved = false;
          let changeRequesters = [];
          for (const [login, review] of reviews) {
            try {
              const membership = await github.rest.teams.getMembershipForUserInOrg({
                org: ORG,
                team_slug: TEAM,
                username: login,
              });

              if (membership.data.state === 'active') {
                if (review.state === 'APPROVED') {
                  approved = true;
                } else if (review.state === 'CHANGES_REQUESTED') {
                  changeRequesters.push(login);
                }
              }
            } catch (error) {
              if (error.status != 404) {
                await fatal(
                  `⚠️ Could not determine membership for ${login} in ${prettyTeamName}: ${error.status}`
                );
              }
            }
          }

          if (changeRequesters.length > 0) {
            await fail(
              `⚠️ Changes requested by: ${changeRequesters.map(l => `@${l}`).join(", ")} on behalf of ${prettyTeamName}`
            );
          } else if (approved) {
            await succeed(`✅ Approved by ${prettyTeamName}`);
          } else {
            await fail(`⚠️ Requires approval from ${prettyTeamName}`);
          }