Enforce Team Approvals #32
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Enforce Team Approvals | |
| on: | |
| pull_request_review: | |
| types: [submitted] | |
| workflow_dispatch: | |
| jobs: | |
| enforce-approvals: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check for approvals from default-reviewers and omnibus-reviewers | |
| id: check_approvals | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ secrets.PAT_TOKEN }} | |
| script: | | |
| const { owner, repo, number: pull_number } = context.issue; | |
| // Fetch all reviews for the pull request | |
| const { data: reviews } = await github.rest.pulls.listReviews({ | |
| owner, | |
| repo, | |
| pull_number, | |
| }); | |
| // Filter reviews that are approved | |
| const approvedReviews = reviews.filter(review => review.state === 'APPROVED'); | |
| // Extract usernames of reviewers who approved | |
| const approvedUsers = [...new Set(approvedReviews.map(review => review.user.login))]; | |
| // PR Author | |
| const authorName = context.payload.pull_request.user.login; | |
| const defaultTeam = 'default-reviewers'; // team slug | |
| const omnibusTeam = 'omnibus-reviewers'; // team slug | |
| const org = 'waterloo-rocketry'; | |
| let defaultApproved = false; | |
| let omnibusApproved = false; | |
| try { | |
| await github.rest.teams.getMembershipForUserInOrg({ | |
| org, | |
| team_slug: defaultTeam, | |
| authorName | |
| }); | |
| return { defaultApproved: true }; | |
| console.log(`✅ ${authorName} is in ${defaultTeam} team pass ${defaultTeam} check`); | |
| } catch (error) { | |
| // Author is not in default-reviewers team | |
| } | |
| for (const username of approvedUsers) { | |
| console.log(`\nChecking approvals from user: ${username}`); | |
| try { | |
| // Check if the user is a member of the default-reviewers team | |
| await github.rest.teams.getMembershipForUserInOrg({ | |
| org, | |
| team_slug: defaultTeam, | |
| username | |
| }); | |
| defaultApproved = true; | |
| console.log(`✅ ${username} approved PR ${pull_number} in ${defaultTeam} team`); | |
| } catch (error) { | |
| // User is not in default-reviewers team | |
| } | |
| try { | |
| // Check if the user is a member of the omnibus-reviewers team | |
| await github.rest.teams.getMembershipForUserInOrg({ | |
| org, | |
| team_slug: omnibusTeam, | |
| username | |
| }); | |
| omnibusApproved = true; | |
| console.log(`✅ ${username} approved PR ${pull_number} in ${omnibusTeam} team`); | |
| } catch (error) { | |
| // User is not in omnibus-reviewers team | |
| } | |
| } | |
| if (!defaultApproved) { | |
| core.setFailed( | |
| '❌ Pull request must be approved by at least one member from default-reviewers.' | |
| ); | |
| } | |
| if (!omnibusApproved) { | |
| core.setFailed( | |
| '❌ Pull request must be approved by at least one member from omnibus-reviewers.' | |
| ); | |
| } |