Git action test [AllBridgeFacet v3.0.1] [@coderabbit ignore] #65
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Audit Folder Protection | |
# - makes sure that only members of team 'auditors' can make changes to 'audit/' folder | |
# https://github.com/orgs/lifinance/teams/auditors | |
name: Audit Folder Protection | |
on: | |
pull_request: | |
types: [opened, synchronize, reopened] | |
paths: | |
- 'audit/**' | |
jobs: | |
protect-audit-folder: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Get 'Auditors' Team Members | |
env: | |
GH_PAT: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC}} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
##### unset the default git token (does not have sufficient rights to get team members) | |
unset GITHUB_TOKEN | |
##### use the Personal Access Token to log into git CLI | |
echo $GH_PAT | gh auth login --with-token | |
gh auth refresh -h github.com -s admin:org | |
##### Function that uses github's REST API via CLI to get team members | |
getTeamMembers() { | |
local org=$1 | |
local team=$2 | |
gh api \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
"/orgs/$org/teams/$team/members" | jq -r '.[].login' | |
} | |
ORG_NAME="lifinance" | |
TEAM_SLUG="auditors" | |
##### Get members of each group | |
echo "Fetching members of $TEAM_SLUG..." | |
MEMBERS=$(getTeamMembers $ORG_NAME $TEAM_SLUG) | |
##### check if any members were returned | |
if [[ -z $MEMBERS ]]; then | |
echo -e "\033[31mERROR: Could not retrieve team members of group $TEAM_SLUG\033[0m" | |
echo "CONTINUE=false" >> $GITHUB_ENV | |
exit 1 | |
fi | |
echo "Team members of $TEAM_SLUG: " | |
echo "$MEMBERS" | |
echo -e "$MEMBERS" > members.txt | |
echo "CONTINUE=true" >> $GITHUB_ENV | |
- name: Extract Auditor Git Handles from Modified JSON | |
if: env.CONTINUE == 'true' | |
run: | | |
##### Extract the diff for the audit log file and filter only added lines with auditorGitHandle | |
MODIFIED_HANDLES=$(git diff origin/main HEAD -- audit/audit_log.json | grep -oP '(?<=^\+.*"auditorGitHandle": ")[^"]+') | |
##### check if any handles were returned | |
if [[ -z $MODIFIED_HANDLES ]]; then | |
echo -e "\033[31mERROR: No auditor handles found in the modified parts of the JSON file.\033[0m" | |
exit 1 | |
fi | |
echo "Modified Auditor Git Handles: $MODIFIED_HANDLES" | |
echo "$MODIFIED_HANDLES" > modified_auditor_handles.txt | |
- name: Verify Pull Request Approvals | |
if: env.CONTINUE == 'true' | |
env: | |
GH_PAT: ${{ secrets.GIT_TOKEN }} | |
run: | | |
##### unset the default git token | |
unset GITHUB_TOKEN | |
##### use the Personal Access Token to log into git CLI | |
echo $GH_PAT | gh auth login --with-token | |
##### Get the pull request number | |
PR_NUMBER=${{ github.event.pull_request.number }} | |
##### Fetch approved handles from the pull request | |
APPROVED_HANDLES=$(gh pr view $PR_NUMBER --json reviews --jq '.reviews | map(select(.state == "APPROVED")) | .[].user.login' | sort | uniq) | |
##### Check if there are any approvals | |
if [[ -z $APPROVED_HANDLES ]]; then | |
echo -e "\033[31mERROR: No approvals found on the pull request.\033[0m" | |
exit 1 | |
fi | |
echo "Approved by: $APPROVED_HANDLES" | |
##### Verify each modified auditor handle has an approval | |
for handle in $(cat modified_auditor_handles.txt); do | |
if ! echo "$APPROVED_HANDLES" | grep -qw "$handle"; then | |
echo -e "\033[31mERROR: Auditor $handle has not approved this pull request.\033[0m" | |
exit 1 | |
fi | |
done | |
echo -e "\033[32mAll necessary auditors have approved the pull request. Check passed.\033[0m" |