-
Notifications
You must be signed in to change notification settings - Fork 115
42 lines (39 loc) · 1.75 KB
/
checks_secure.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
name: Checks (secure)
# These are run on base branch with read/write access.
on:
pull_request_target:
types: [synchronize]
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
cancel-in-progress: true
jobs:
dismiss_stale_approvals:
# Dismiss stale approvals for users without write access, or if this PR comes from a fork.
runs-on: ubuntu-20.04
# Only if another commit was added to the PR.
steps:
- name: Check user permission
id: check
uses: scherermichael-oss/[email protected]
# This action sets outputs.has-permission to '1' or ''
with:
required-permission: write
env:
GITHUB_TOKEN: ${{ github.token }}
- uses: actions/checkout@v3
if: steps.check.outputs.has-permission != 1 || github.event.pull_request.head.repo.full_name != github.repository
with:
submodules: false
- name: Setup python
if: steps.check.outputs.has-permission != 1 || github.event.pull_request.head.repo.full_name != github.repository
uses: actions/setup-python@v4
with:
python-version: 3.8
- name: Install prerequisites
if: steps.check.outputs.has-permission != 1 || github.event.pull_request.head.repo.full_name != github.repository
run: pip install -r scripts/gha/python_requirements.txt
- name: Dismiss reviews
if: steps.check.outputs.has-permission != 1 || github.event.pull_request.head.repo.full_name != github.repository
shell: bash
run: |
python scripts/gha/dismiss_reviews.py --token ${{github.token}} --pull_number ${{github.event.pull_request.number}} --review_state=APPROVED --message "🍞 Dismissed stale approval on external PR."