added script to dismiss reviews (polkadot-fellows#76)

Added a script that will require new reviews in a PR if the author (who
is not a fellow) pushed a new commit.

Resolves polkadot-fellows#60

Copied from paritytech/polkadot-sdk#4152 and
paritytech/polkadot-sdk#3431


## Summary
Added a new step in the action that triggers review bot to stop approval
from new pushes.

This step works in the following way:
- If the **author of the PR**, who **is not** a fellow, pushed a new
commit then:
- Review-Trigger requests new reviews from the reviewers and fails.

It *does not dismiss reviews*. It simply request them again, but they
will still be available.

This way, if the author changed something in the code, they will still
need to have this latest change approved to stop them from uploading
malicious code.

- [x] Does not require a CHANGELOG entry

.github/workflows/review-trigger.yml

@@ -13,17 +13,58 @@ on:
 
 jobs:
   trigger-review-bot:
+    # (It is not a draft) && (it is not a review || it is an approving review)
+    if: ${{ github.event.pull_request.draft != true && (github.event_name != 'pull_request_review' || (github.event.review && github.event.review.state == 'APPROVED')) }}
     runs-on: ubuntu-latest
     name: trigger review bot
     steps:
+      - name: Get PR data
+        id: comments
+        run: |
+          echo "bodies=$(gh pr view ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --json comments --jq '[.comments[].body]')" >> "$GITHUB_OUTPUT"
+          echo "reviews=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews --jq '[.[].state]')" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ github.token }}
+      - name: Get the GitHub handle of the fellows
+        uses: paritytech/[email protected]
+        id: fellows
+        # Require new reviews when the author is pushing and he is not a fellow
+      - name: Fail when author pushes new code
+        # if (contains approved reviews && it's a synchronize event && was triggered by the author (who is not a fellow))
+        if: |
+          contains(fromJson(steps.comments.outputs.reviews), 'APPROVED') &&
+          github.event_name == 'pull_request_target' &&
+          github.event.action == 'synchronize' && 
+          github.event.sender.login == github.event.pull_request.user.login && 
+          contains(steps.fellows.outputs.github-handles, github.event.pull_request.user.login)
+        run: |
+          # We get the list of reviewers who approved the PR
+          REVIEWERS=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews \
+          --jq '{reviewers: [.[] | select(.state == "APPROVED") | .user.login]}')
+
+          # We request them to review again
+          echo $REVIEWERS | gh api --method POST repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/requested_reviewers --input -
+
+          echo "::error::Project needs to be reviewed again"
+          exit 1
+        env:
+          GH_TOKEN: ${{ github.token }}
+      - name: Comment requirements
+        # If the previous step failed and github-actions hasn't commented yet we comment instructions
+        if: failure() && !contains(fromJson(steps.comments.outputs.bodies), 'Review required! Latest push from author must always be reviewed')
+        run: |
+          gh pr comment ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --body "Review required! Latest push from author must always be reviewed"
+        env:
+          GH_TOKEN: ${{ github.token }}
+          COMMENTS: ${{ steps.comments.outputs.users }}
       - name: Get PR number
         env:
           PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
           echo "Saving PR number: $PR_NUMBER"
           mkdir -p ./pr
           echo $PR_NUMBER > ./pr/pr_number
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         name: Save PR number
         with:
           name: pr_number