Merge pull request #7007 from ministryofjustice/allow-specfifying-ind…

…ividual-teams-as-reviewer Modify jq query to check for `github_action_reviewer` flag
ministryofjustice · May 23, 2024 · 604e2a8 · 604e2a8
2 parents 3bbf154 + 7c81854
commit 604e2a8
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 27 deletions.
diff --git a/environments/delius-core.json b/environments/delius-core.json
@@ -1,15 +1,15 @@
 {
  "account-type": "member",
  "codeowners": ["hmpps-migration"],
- "github_action_reviewers": ["hmpps-migration"],
  "environments": [
  {
  "name": "development",
  "access": [
  {
  "github_slug": "hmpps-migration",
  "level": "sandbox",
- "nuke": "exclude"
+ "nuke": "exclude",
+ "github_action_reviewer" : "true"
  },
  {
  "github_slug": "hmpps-dba",
@@ -19,7 +19,8 @@
  {
  "github_slug": "unilink",
  "level": "developer",
- "nuke": "exclude"
+ "nuke": "exclude",
+ "github_action_reviewer" : "true"
  }
  ]
  },
@@ -28,7 +29,8 @@
  "access": [
  {
  "github_slug": "hmpps-migration",
- "level": "developer"
+ "level": "developer",
+ "github_action_reviewer": "true"
  },
  {
  "github_slug": "hmpps-dba",
@@ -45,7 +47,8 @@
  "access": [
  {
  "github_slug": "hmpps-migration",
- "level": "developer"
+ "level": "developer",
+ "github_action_reviewer": "true"
  },
  {
  "github_slug": "hmpps-dba",
@@ -62,7 +65,8 @@
  "access": [
  {
  "github_slug": "hmpps-migration",
- "level": "developer"
+ "level": "developer",
+ "github_action_reviewer": "true"
  },
  {
  "github_slug": "hmpps-dba",

diff --git a/environments/delius-nextcloud.json b/environments/delius-nextcloud.json
@@ -1,15 +1,15 @@
 {
  "account-type": "member",
  "codeowners": ["hmpps-migration"],
- "github_action_reviewers": ["hmpps-migration"],
  "environments": [
  {
  "name": "development",
  "access": [
  {
  "github_slug": "hmpps-migration",
  "level": "sandbox",
- "nuke": "exclude"
+ "nuke": "exclude",
+ "github_action_reviewer": "true"
  }
  ]
  },
@@ -18,7 +18,8 @@
  "access": [
  {
  "github_slug": "hmpps-migration",
- "level": "developer"
+ "level": "developer",
+ "github_action_reviewer": "true"
  }
  ]
  },
@@ -27,7 +28,8 @@
  "access": [
  {
  "github_slug": "hmpps-migration",
- "level": "developer"
+ "level": "developer",
+ "github_action_reviewer": "true"
  }
  ]
  },
@@ -36,7 +38,8 @@
  "access": [
  {
  "github_slug": "hmpps-migration",
- "level": "developer"
+ "level": "developer",
+ "github_action_reviewer": "true"
  }
  ]
  }

diff --git a/scripts/git-create-environments.sh b/scripts/git-create-environments.sh
@@ -161,14 +161,10 @@ main() {
  account_type=$(jq -r '."account-type"' ${json_file})
  if [ "${account_type}" = "member" ]
  then
-
- # Get environment GitHub team slugs from github_action_reviewers array
- github_action_reviewers=$(jq -r 'try (.github_action_reviewers[])' $json_file)
- # If github_action_reviewers is not empty, use it as the teams
- if ([ ${#github_action_reviewers[@]} -gt 0 ] && [ -n "$github_action_reviewers" ]); then
- teams=$github_action_reviewers
- else
- # If github_action_reviewers wasn't provided, get environment GitHub team slugs from member access array instead
+ # Check for teams that have the github_action_reviewer flag set to true
+ teams=$(jq -r --arg e "${env}" '.environments[] | select( .name == $e ) | .access[] | select(.github_action_reviewer=="true") | .github_slug' $json_file)
+ # if teams is empty (none of the teams have the github_action_reviewer flag), get all teams
+ if [ -z "$teams" ]; then
  teams=$(jq -r --arg e "${env}" '.environments[] | select( .name == $e ) | .access[].github_slug' $json_file)
  fi
 

diff --git a/source/runbooks/creating-accounts-for-end-users.html.md.erb b/source/runbooks/creating-accounts-for-end-users.html.md.erb
@@ -56,11 +56,25 @@ See [#5957](https://github.com/ministryofjustice/modernisation-platform/pull/595
 
 By default all teams listed in the access blocks for an environment can approve the corresponding Github action runs.
 
-You can override this by defining `github_action_reviewers` as an attribute for the application.
-
-`"github_action_reviewers" : ["<owner-name>"],` Replace \<owner-name\> with a GitHub team such as `modernisation-platform`.
-
-This will restrict Github action approval to only the GitHub team slugs listed in the 'github_action_reviewers' attribute.
+Alternatively, if you wish to specify the GitHub team slugs that can approve the Github action runs for a specific environment, you can define `github_action_reviewer` as an attribute for that environment by setting `"github_action_reviewer" : "true"` in the access block for that environment/team.
+
+```json
+ "name": "development",
+ "access": [
+ {
+ "github_slug": "modernisation-platform",
+ "level": "developer",
+ "github_action_reviewer" : "true"
+ },
+ {
+ "github_slug": "some-other-team",
+ "level": "developer"
+ }
+ ]
+ },
+```
+
+In this example, only the `modernisation-platform` team can approve the Github action runs for the development environment.
 
 See [#6338](https://github.com/ministryofjustice/modernisation-platform/pull/6338) for an example of the change required.
 

diff --git a/source/user-guide/creating-environments.html.md.erb b/source/user-guide/creating-environments.html.md.erb
@@ -191,9 +191,9 @@ Here are some examples of the environments JSON file that the Modernisation Plat
 - `account-type` determines if this is a core modernisation platform account or a user member account.
 - `isolated-network` is an optional field which can be set to 'true' if you require an isolated environment with no internet or shared network connectivity.
 - `codeowners` is an optional list of GitHub slugs if you want specific teams to review code changes before they are released into environments.
-- `github_action_reviewers` is an optional list of GitHub slugs if you want specific teams to approve GitHub action runs.
 - `environments` should be an array of objects for environments required. If the environment is `production`, retention periods, backup frequency, and similar will be different compared to non-production environments.
 - the `name` key and `access` object are required, see: [Another example](#another-example)
+- `github_action_reviewer` is an optional true/false for each team listed and determines if the team should be the approver for GitHub action runs.
 - the `nuke` key is optional and is only read if the `access.level` is `sandbox`.
 - `tags` should be an object of the mandatory tags defined in the MoJ [Tagging Guidance](https://ministryofjustice.github.io/technical-guidance/documentation/standards/documenting-infrastructure-owners.html#tagging-your-infrastructure). You can omit `is-production` as we infer this from the environment name.
 
@@ -206,15 +206,15 @@ Here are some examples of the environments JSON file that the Modernisation Plat
  "account-type": "",
  "isolated-network": "",
  "codeowners": [""],
- "github_action_reviewers": [""],
  "environments": [
  {
  "name": ""
  "access": [
  {
  "github_slug": "",
  "level": "",
- "nuke": ""
+ "nuke": "",
+ "github_action_reviewer": "true"
  }
  ]
  }