From 633d4e7c99db75599a3f9d6b09962d0248b89731 Mon Sep 17 00:00:00 2001 From: Javier Bullrich Date: Tue, 7 May 2024 15:21:46 +0200 Subject: [PATCH] added script to dismiss reviews (#76) Added a script that will require new reviews in a PR if the author (who is not a fellow) pushed a new commit. Resolves #60 Copied from paritytech/polkadot-sdk#4152 and paritytech/polkadot-sdk#3431 ## Summary Added a new step in the action that triggers review bot to stop approval from new pushes. This step works in the following way: - If the **author of the PR**, who **is not** a fellow, pushed a new commit then: - Review-Trigger requests new reviews from the reviewers and fails. It *does not dismiss reviews*. It simply request them again, but they will still be available. This way, if the author changed something in the code, they will still need to have this latest change approved to stop them from uploading malicious code. - [x] Does not require a CHANGELOG entry --- .github/workflows/review-trigger.yml | 43 +++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/.github/workflows/review-trigger.yml b/.github/workflows/review-trigger.yml index 0edbc7c9a9..2f241c9171 100644 --- a/.github/workflows/review-trigger.yml +++ b/.github/workflows/review-trigger.yml @@ -13,9 +13,50 @@ on: jobs: trigger-review-bot: + # (It is not a draft) && (it is not a review || it is an approving review) + if: ${{ github.event.pull_request.draft != true && (github.event_name != 'pull_request_review' || (github.event.review && github.event.review.state == 'APPROVED')) }} runs-on: ubuntu-latest name: trigger review bot steps: + - name: Get PR data + id: comments + run: | + echo "bodies=$(gh pr view ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --json comments --jq '[.comments[].body]')" >> "$GITHUB_OUTPUT" + echo "reviews=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews --jq '[.[].state]')" >> "$GITHUB_OUTPUT" + env: + GH_TOKEN: ${{ github.token }} + - name: Get the GitHub handle of the fellows + uses: paritytech/get-fellows-action@v1.1.2 + id: fellows + # Require new reviews when the author is pushing and he is not a fellow + - name: Fail when author pushes new code + # if (contains approved reviews && it's a synchronize event && was triggered by the author (who is not a fellow)) + if: | + contains(fromJson(steps.comments.outputs.reviews), 'APPROVED') && + github.event_name == 'pull_request_target' && + github.event.action == 'synchronize' && + github.event.sender.login == github.event.pull_request.user.login && + contains(steps.fellows.outputs.github-handles, github.event.pull_request.user.login) + run: | + # We get the list of reviewers who approved the PR + REVIEWERS=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews \ + --jq '{reviewers: [.[] | select(.state == "APPROVED") | .user.login]}') + + # We request them to review again + echo $REVIEWERS | gh api --method POST repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/requested_reviewers --input - + + echo "::error::Project needs to be reviewed again" + exit 1 + env: + GH_TOKEN: ${{ github.token }} + - name: Comment requirements + # If the previous step failed and github-actions hasn't commented yet we comment instructions + if: failure() && !contains(fromJson(steps.comments.outputs.bodies), 'Review required! Latest push from author must always be reviewed') + run: | + gh pr comment ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --body "Review required! Latest push from author must always be reviewed" + env: + GH_TOKEN: ${{ github.token }} + COMMENTS: ${{ steps.comments.outputs.users }} - name: Get PR number env: PR_NUMBER: ${{ github.event.pull_request.number }} @@ -23,7 +64,7 @@ jobs: echo "Saving PR number: $PR_NUMBER" mkdir -p ./pr echo $PR_NUMBER > ./pr/pr_number - - uses: actions/upload-artifact@v3 + - uses: actions/upload-artifact@v4 name: Save PR number with: name: pr_number