Skip to content

approval check workflow #667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

approval check workflow #667

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f482ed4
approval check workflow
mo271 Sep 15, 2025
133932d
more complicated way, because vars not readable before
mo271 Sep 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 71 additions & 0 deletions .github/workflows/approval-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
name: Check approval condition


on:
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review]
branches:
- main

permissions:
contents: read
pull-requests: read

jobs:
run-if-trusted-or-approved:
runs-on: ubuntu-latest

# We must first fetch the PR's review status using the gh CLI,
# because the 'pull_request_target' event payload is minimal and doesn't
# include the 'github.event.review' object

steps:
- name: Check Author Trust
id: check_author
env:
TRUSTED_LIST: ${{ vars.TRUSTED_AUTHORS_JSON }}
PR_AUTHOR: ${{ github.event.pull_request.user.login }}
run: |
if echo "$TRUSTED_LIST" | grep -q "\"$PR_AUTHOR\""; then
echo "Result: Author is trusted."
echo "trusted=true" >> $GITHUB_OUTPUT
else
echo "Result: Author is not trusted."
echo "trusted=false" >> $GITHUB_OUTPUT
fi

- name: Check for Trusted Approval
id: check_approval
# This step only runs if the author was NOT trusted (short-circuiting)
if: steps.check_author.outputs.trusted == 'false'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TRUSTED_LIST: ${{ vars.TRUSTED_AUTHORS_JSON }}
PR_NUMBER: ${{ github.event.number }}
run: |
echo "Author not trusted. Checking for approved reviews from trusted reviewers..."

# 1. Get all "APPROVED" reviews for this PR
# 2. Filter them to get just the logins of the approvers
# 3. Use 'grep' to see if ANY of those approvers are in our trusted list
if gh pr review list "$PR_NUMBER" --state APPROVED --json author --jq '.[].author.login' | grep -q -F -f <(echo "$TRUSTED_LIST" | jq -r '.[]')
then
echo "Result: Found an APPROVED review from a trusted user."
echo "approved=true" >> $GITHUB_OUTPUT
else
echo "Result: No approved reviews found from trusted users."
echo "approved=false" >> $GITHUB_OUTPUT
fi

- name: Gate Check
# This is the final check that will pass or fail the job
if: steps.check_author.outputs.trusted == 'true' || steps.check_approval.outputs.approved == 'true'
run: |
echo "Success: Conditions met."

- name: Fail Check
# If neither check passed, this step explicitly fails the job
if: steps.check_author.outputs.trusted == 'false' && steps.check_approval.outputs.approved != 'true'
run: |
echo "Failure: PR author is not trusted AND no trusted approval was found."
exit 1
Loading