Skip to content
name: Require backend-review-group approval
on:
pull_request:
types: [opened, reopened, review_requested, synchronize, ready_for_review]
pull_request_review:
types: [submitted]
jobs:
check-approval-requirements:
permissions: write-all
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/[email protected]
with:
aws-access-key-id: ${{ secrets.aws_access_key_id }}
aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
aws-region: "us-gov-west-1"
- name: Get bot token from Parameter Store
uses: marvinpinto/action-inject-ssm-secrets@latest
with:
ssm_parameter: /devops/VA_VSP_BOT_GITHUB_TOKEN
env_variable_name: VA_VSP_BOT_GITHUB_TOKEN
# Find BE Approval comment
- name: Find BE Approval Comment
uses: peter-evans/find-comment@v3
id: find_backend_approval_comment
with:
issue-number: ${{ github.event.pull_request.number }}
body-includes: "Backend-review-group approval confirmed."
# If backend-review-group approval is required, get team members
- name: Get backend-review-group members
if: contains(github.event.pull_request.labels.*.name, 'require-backend-approval')
id: get_team_members
uses: octokit/[email protected]
with:
route: GET /orgs/department-of-veterans-affairs/teams/backend-review-group/members
env:
GITHUB_TOKEN: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }}
# If backend-review-group approval is required, get reviews
- name: Get PR Reviews
if: contains(github.event.pull_request.labels.*.name, 'require-backend-approval')
id: get_pr_reviews
uses: octokit/[email protected]
with:
route: GET /repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number || github.event.pull_request_review.pull_request.number }}/reviews
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# If backend-review-group approval is required, confirm an approval exists from at least one BE team member
- name: Verify backend-review-group approval
if: contains(github.event.pull_request.labels.*.name, 'require-backend-approval')
id: verify_approval
run: |
BACKEND_REVIEWERS=$(cat <<'EOF' | jq -r '.[].login' | tr '\n' '|' | sed 's/|$//'
${{ steps.get_team_members.outputs.data }}
EOF
)
APPROVALS=$(cat <<'EOF' | jq -r '.[] | select(.state == "APPROVED") | .user.login' | grep -iE "$BACKEND_REVIEWERS" | wc -l
${{ steps.get_pr_reviews.outputs.data }}
EOF
)
echo "Number of backend-review-group approvals: $APPROVALS"
if [ "$APPROVALS" -eq 0 ]; then
echo "approval_status=required" >> $GITHUB_OUTPUT
exit 1
else
echo "approval_status=confirmed" >> $GITHUB_OUTPUT
fi
# If approved and no "Approved" comment, add comment
- name: Comment PR - Approval Confirmed
if: success() && steps.verify_approval.outputs.approval_status == 'confirmed' && steps.find_backend_approval_comment.outputs.comment-id == ''
uses: peter-evans/create-or-update-comment@v4
with:
issue-number: ${{ github.event.pull_request.number }}
body: "Backend-review-group approval confirmed."
# If approved and has ready-for-review label, remove label
- name: Remove ready-for-review label
if: success() && steps.verify_approval.outputs.approval_status == 'confirmed' && contains(github.event.pull_request.labels.*.name, 'ready-for-backend-review')
uses: actions-ecosystem/action-remove-labels@v1
with:
number: ${{ github.event.pull_request.number }}
labels: |
ready-for-backend-review