Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: only prohibit self-approval for sensitive files #49

Merged
merged 4 commits into from
Sep 17, 2024
Merged

feat: only prohibit self-approval for sensitive files #49

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
eb158a8
ci: only prohibit self-approval for production changes
corneliusroemer Sep 17, 2024
34adf73
Also require approval for self-approval and production promotion work…
corneliusroemer Sep 17, 2024
f794691
add terminal new line back
corneliusroemer Sep 17, 2024
869eb07
f
corneliusroemer Sep 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 19 additions & 4 deletions .github/workflows/self-approval-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ on:
pull_request:
types: [opened, reopened, synchronize]
pull_request_review:
types: [submitted]
types: [submitted, edited, dismissed]

jobs:
check-pr-self-approval:
Expand All @@ -13,13 +13,25 @@ jobs:
- name: Checkout repository
uses: actions/checkout@v4

- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v45
with:
files: |
deploy/production/config.json
.github/workflows/self-approval-check.yml
.github/workflows/promote-staging-to-production.yml

- name: Check if PR from GitHub Actions is self-approved
id: check-self-approval
if: steps.changed-files.outputs.any_changed == 'true'
env:
PR_NUMBER: ${{ github.event.pull_request.number }}
PR_BODY: ${{ github.event.pull_request.body }}
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
run: |
CHANGED_FILES="${{ steps.changed-files.outputs.all_changed_files }}"
echo "Changed sensitive files: $CHANGED_FILES"
# Check if PR is created by GitHub Actions
if [[ "$PR_AUTHOR" == "github-actions[bot]" ]]; then
echo "PR created by GitHub Actions, extracting actor from body..."
Expand Down Expand Up @@ -51,9 +63,12 @@ jobs:

- name: PR Self-Approval Status
run: |
if [[ ${{ steps.check-self-approval.outcome }} == 'failure' ]]; then
echo "::error::This PR was created by GitHub Actions and has been self-approved. This is not allowed for security reasons."
if [[ ${{ steps.changed-files.outputs.any_changed }} != 'true' ]]; then
echo "No sensitive files were changed. No self-approval check needed."
elif [[ ${{ steps.check-self-approval.outcome }} == 'failure' ]]; then
echo "::error::This PR changes sensitive files and prohibits self-review for security reasons."
echo "Changed files: ${{ steps.changed-files.outputs.all_changed_files }}"
exit 1
else
echo "PR self-approval check passed."
fi
fi