Change: add collab-check and wait-for-approval to PR Check workflow (#4565)

benieric · web-flow · commit 24885814ea27 · 2024-04-09T12:50:45.000-07:00
* add collab-check and wait-for-approval to PR Check workflow

* restrict workflow to master* branches
diff --git a/.github/workflows/codebuild-ci.yml b/.github/workflows/codebuild-ci.yml
@@ -1,6 +1,8 @@
 name: PR Checks
 on:
     pull_request_target:
+        branches:
+            - "master*"
 
 concurrency:
     group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref }}
@@ -10,9 +12,39 @@ permissions:
     id-token: write # This is required for requesting the JWT
 
 jobs:
-  codestyle-doc-tests:
+  collab-check:
+    runs-on: ubuntu-latest
+    outputs: 
+      approval-env: ${{ steps.collab-check.outputs.result }}
+    steps:
+      - name: Collaborator Check
+        uses: actions/github-script@v7
+        id: collab-check
+        with:
+          result-encoding: string
+          script: | 
+            try {
+              const res = await github.rest.repos.checkCollaborator({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: "${{ github.event.pull_request.user.login }}",
+              });
+              console.log("Verifed ${{ github.event.pull_request.user.login }} is a repo collaborator. Auto Approving PR Checks.")
+              return res.status == "204" ? "auto-approve" : "manual-approval"
+            } catch (error) {
+              console.log("${{ github.event.pull_request.user.login }} is not a collaborator. Requiring Manual Approval to run PR Checks.")
+              return "manual-approval"
+            }
+  wait-for-approval:
     runs-on: ubuntu-latest
+    needs: [collab-check]
+    environment: ${{ needs.collab-check.outputs.approval-env }}
     steps:
+      - run: echo "Workflow Approved! Starting PR Checks."
+  codestyle-doc-tests:
+    runs-on: ubuntu-latest
+    needs: [wait-for-approval]
+    steps: 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -23,9 +55,10 @@ jobs:
         uses: aws-actions/aws-codebuild-run-build@v1
         with:
           project-name: sagemaker-python-sdk-ci-codestyle-doc-tests
-          source-version-override: 'pr/${{ github.event.pull_request.number }}'
+          source-version-override: 'refs/pull/${{ github.event.pull_request.number }}/head^{${{ github.event.pull_request.head.sha }}}'
   unit-tests:
     runs-on: ubuntu-latest
+    needs: [wait-for-approval]
     strategy:
         fail-fast: false
         matrix:
@@ -41,7 +74,7 @@ jobs:
         uses: aws-actions/aws-codebuild-run-build@v1
         with:
           project-name: sagemaker-python-sdk-ci-unit-tests
-          source-version-override: 'pr/${{ github.event.pull_request.number }}'
+          source-version-override: 'refs/pull/${{ github.event.pull_request.number }}/head^{${{ github.event.pull_request.head.sha }}}'
           env-vars-for-codebuild: |
             PY_VERSION
         env:
