PR Self-Approval Check #125
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PR Self-Approval Check | |
| on: | |
| pull_request: | |
| types: [opened, reopened, synchronize] | |
| pull_request_review: | |
| types: [submitted, edited, dismissed] | |
| jobs: | |
| check-pr-self-approval: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@v45 | |
| with: | |
| files: | | |
| deploy/production/config.json | |
| .github/workflows/self-approval-check.yml | |
| .github/workflows/promote-staging-to-production.yml | |
| - name: Check if PR from GitHub Actions is self-approved | |
| id: check-self-approval | |
| if: steps.changed-files.outputs.any_changed == 'true' | |
| env: | |
| PR_NUMBER: ${{ github.event.pull_request.number }} | |
| PR_BODY: ${{ github.event.pull_request.body }} | |
| PR_AUTHOR: ${{ github.event.pull_request.user.login }} | |
| run: | | |
| CHANGED_FILES="${{ steps.changed-files.outputs.all_changed_files }}" | |
| echo "Changed sensitive files: $CHANGED_FILES" | |
| # Check if PR is created by GitHub Actions | |
| if [[ "$PR_AUTHOR" == "github-actions[bot]" ]]; then | |
| echo "PR created by GitHub Actions, extracting actor from body..." | |
| # Extract actor from PR body | |
| ACTOR=$(echo "$PR_BODY" | grep -oP '^\K[^ ]+(?= wants to)' | head -n1) | |
| if [[ -z "$ACTOR" ]]; then | |
| echo "Could not extract actor from PR body" | |
| exit 1 | |
| fi | |
| echo "Actor extracted from PR body: $ACTOR" | |
| # Check for approval from the actor | |
| APPROVALS=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| "https://api.github.com/repos/${{ github.repository }}/pulls/$PR_NUMBER/reviews" | \ | |
| jq -r '.[] | select(.state == "APPROVED" and .user.login == "'"$ACTOR"'") | .user.login') | |
| if [[ -n "$APPROVALS" ]]; then | |
| echo "Error: PR created by GitHub Actions has been self-approved by $ACTOR" | |
| exit 1 | |
| else | |
| echo "No self-approval detected, check passed" | |
| fi | |
| else | |
| echo "PR not created by GitHub Actions, skipping self-approval check" | |
| fi | |
| - name: PR Self-Approval Status | |
| run: | | |
| if [[ ${{ steps.changed-files.outputs.any_changed }} != 'true' ]]; then | |
| echo "No sensitive files were changed. No self-approval check needed." | |
| elif [[ ${{ steps.check-self-approval.outcome }} == 'failure' ]]; then | |
| echo "::error::This PR changes sensitive files and prohibits self-review for security reasons." | |
| echo "Changed files: ${{ steps.changed-files.outputs.all_changed_files }}" | |
| exit 1 | |
| else | |
| echo "PR self-approval check passed." | |
| fi |