|
| 1 | +# This workflow checks if specfic files were modified, |
| 2 | +# if they were they require more than one approval from CODEOWNERS |
| 3 | +name: Check Release Files |
| 4 | + |
| 5 | +on: |
| 6 | + pull_request: |
| 7 | + |
| 8 | +jobs: |
| 9 | + require-approvals: |
| 10 | + runs-on: ubuntu-latest |
| 11 | + permissions: |
| 12 | + issues: write |
| 13 | + pull-requests: write |
| 14 | + env: |
| 15 | + # unfortunately we can't check if the approver is part of the CODEOWNERS. This is a subset of aws/aws-crypto-tools-team |
| 16 | + # to add more allowlisted approvers just modify this env variable |
| 17 | + maintainers: seebees, texastony, ShubhamChaturvedi7, lucasmcdonald3, josecorella, imabhichow, rishav-karanjit, antonf-amzn, justplaz, ajewellamz |
| 18 | + steps: |
| 19 | + - uses: actions/checkout@v3 |
| 20 | + with: |
| 21 | + fetch-depth: 0 |
| 22 | + |
| 23 | + - name: Get Files changed |
| 24 | + id: file-changes |
| 25 | + shell: bash |
| 26 | + run: |
| 27 | + # *release.yml files are responsible for releasing builds |
| 28 | + # we require multiple approvers if any of those files change |
| 29 | + # when adding any release file, it must be appended with *release |
| 30 | + # we also want to check if there are changes to this file |
| 31 | + echo "FILES=$(git diff --name-only origin/main origin/${GITHUB_HEAD_REF} .github/workflows/*release.yml .github/workflows/check-files.yml | tr '\n' ' ')" >> "$GITHUB_OUTPUT" |
| 32 | + |
| 33 | + - name: Check if FILES is not empty |
| 34 | + id: comment |
| 35 | + env: |
| 36 | + PR_NUMBER: ${{ github.event.number }} |
| 37 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 38 | + FILES: ${{ steps.file-changes.outputs.FILES }} |
| 39 | + if: ${{env.FILES != ''}} |
| 40 | + run: | |
| 41 | + COMMENT="Detected changes to the release files or to the check-files action" |
| 42 | + COMMENT_URL="https://api.github.com/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" |
| 43 | + curl -s -H "Authorization: token ${GITHUB_TOKEN}" -X POST $COMMENT_URL -d "{\"body\":\"$COMMENT\"}" |
| 44 | +
|
| 45 | + - name: Check Approvers |
| 46 | + id: approvers |
| 47 | + if: steps.comment.outcome == 'success' |
| 48 | + # if this step fails we want to continue to post a message on the PR. |
| 49 | + continue-on-error: true |
| 50 | + # we are using this action because it does the heavy lifting for us, it uses the github_token enabled |
| 51 | + # for github actions, this is ok because tokens are created for every workflow run and they expire at the end |
| 52 | + # of the job |
| 53 | + |
| 54 | + with: |
| 55 | + token: ${{ secrets.GITHUB_TOKEN }} |
| 56 | + min-required: 2 |
| 57 | + required-approvers-list: ${{env.maintainers}} |
| 58 | + |
| 59 | + - name: Post Approvers Result |
| 60 | + if: steps.approvers.outcome == 'failure' |
| 61 | + env: |
| 62 | + PR_NUMBER: ${{ github.event.number }} |
| 63 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 64 | + run: | |
| 65 | + COMMENT="Changes to the release files or the check-files action requires 2 approvals from CODEOWNERS" |
| 66 | + COMMENT_URL="https://api.github.com/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" |
| 67 | + curl -s -H "Authorization: token ${GITHUB_TOKEN}" -X POST $COMMENT_URL -d "{\"body\":\"$COMMENT\"}" |
| 68 | + exit 1 |
0 commit comments