Skip to content

Check

Check #259977

Workflow file for this run

# Workflow will trigger on all pull request (except draft), pull request
# review, and commit push to a pull request (synchronize) event types
#
# NOTE: pull_request_target behaves the same as pull_request except it grants a
# read/write token to workflows running on a pull request from a fork. While
# this may seem unsafe, the permissions for the token are limited below and
# the permissions can not be changed without merging to master which is
# protected by CODEOWNERS.
name: Check
on:
pull_request_review:
type: [submitted, edited, dismissed]
pull_request_target:
types: [opened, ready_for_review, synchronize, labeled, unlabeled]
# Limit the permissions on the GitHub token for this workflow to the subset
# that is required. In this case, the check workflow needs to invalidate
# reviews and delete workflow runs, so it needs write access to "actions" and
# "pull-requests", nothing else.
permissions:
actions: write
pull-requests: write
checks: none
contents: none
deployments: none
issues: none
packages: none
repository-projects: none
security-events: none
statuses: none
jobs:
check-reviews:
name: Checking reviewers
if: ${{ !github.event.pull_request.draft && !startsWith(github.head_ref, 'dependabot/') }}
runs-on: ubuntu-latest
steps:
- name: Generate GitHub Token
id: generate_token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.REVIEWERS_APP_ID }}
private-key: ${{ secrets.REVIEWERS_PRIVATE_KEY }}
# Checkout main branch of shared-workflow repository.
- name: Checkout shared-workflow
uses: actions/checkout@v4
with:
repository: gravitational/shared-workflows
path: .github/shared-workflows
ref: main
- name: Installing Go
uses: actions/setup-go@v5
with:
go-version: 'stable'
# Run "check" subcommand on bot.
- name: Checking reviewers
run: cd .github/shared-workflows/bot && go run main.go -workflow=check -token="${{ steps.generate_token.outputs.token }}" -reviewers="${{ secrets.reviewers }}"