-
Notifications
You must be signed in to change notification settings - Fork 535
189 lines (166 loc) · 7.97 KB
/
release-approval.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
# release-approval.yml
#
# This workflow checks that a PR has been reviewed by a member of FluidFramework-ReleaseApprovers.
#
# This workflow is normally triggered by the completion of the release-branches workflow. However, it can also be run
# manually using the GitHub UI and providing a PR number.
name: release-approval
on:
workflow_run:
# Workflow is typically triggered by the completion of the release-branches workflow.
workflows: [release-branches]
types: [completed]
# The workflow can be triggered manually in the GitHub UI.
workflow_dispatch:
inputs:
pr:
description: "PR number on which to run approval checks"
required: true
permissions:
# Needed to read artifacts from upstream workflows
actions: read
# Needed to check pull request metadata for review status
pull-requests: read
# Needed to update the PR check status to permit/prevent merge
statuses: write
jobs:
metadata:
name: Get PR metadata
runs-on: ubuntu-latest
outputs:
pr_num: ${{ steps.workflow_run_load_pr.outputs.pr_num || steps.workflow_dispatch_load_pr.outputs.pr_num }}
is_release_branch: ${{ steps.workflow_run_is_release_branch.outputs.is_release_branch || steps.workflow_dispatch_is_release_branch.outputs.is_release_branch }}
commit_sha: ${{ steps.workflow_run_load_commit_sha.outputs.commit_sha || steps.workflow_dispatch_load_commit_sha.outputs.result }}
steps:
### These steps run on workflow_run event only ###
- name: Download metadata
if: github.event_name == 'workflow_run'
# release notes: https://github.com/dawidd6/action-download-artifact/releases/tag/v6
uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # ratchet:dawidd6/action-download-artifact@v6
with:
workflow: release-branches.yml
run_id: ${{ github.event.workflow_run.id }}
name: release-branch-pr-metadata
path: ./artifacts
- name: "workflow_run: Load PR number"
id: workflow_run_load_pr
if: github.event_name == 'workflow_run'
working-directory: ./artifacts
run: echo "pr_num=$(cat pr)" >> $GITHUB_OUTPUT
- name: "workflow_run: Load is_release_branch"
id: workflow_run_is_release_branch
if: github.event_name == 'workflow_run'
working-directory: ./artifacts
run: echo "is_release_branch=$(cat is_release_branch)" >> $GITHUB_OUTPUT
- name: "workflow_run: Load commit_sha"
id: workflow_run_load_commit_sha
if: github.event_name == 'workflow_run'
working-directory: ./artifacts
run: echo "commit_sha=$(cat commit_sha)" >> $GITHUB_OUTPUT
### These steps run on workflow_dispatch event only ###
- name: "workflow_dispatch: Load PR number"
id: workflow_dispatch_load_pr
if: github.event_name == 'workflow_dispatch'
run: echo "pr_num=${{ github.event.inputs.pr }}" >> $GITHUB_OUTPUT
- name: "workflow_dispatch: Load is_release_branch"
id: workflow_dispatch_is_release_branch
if: github.event_name == 'workflow_dispatch'
run: echo "is_release_branch=true" >> $GITHUB_OUTPUT
- name: "workflow_dispatch: Load commit_sha"
id: workflow_dispatch_load_commit_sha
if: github.event_name == 'workflow_dispatch'
# release notes: https://github.com/actions/github-script/releases/tag/v7.0.1
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # ratchet:actions/github-script@v7.0.1
env:
PR_NUMBER: ${{ steps.workflow_dispatch_load_pr.outputs.pr_num }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
result-encoding: string
# Gets the head commit of the PR
script: |
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: process.env.PR_NUMBER,
});
return pr.head.sha;
check_approval:
name: Check PR approval
if: needs.metadata.outputs.is_release_branch == 'true'
needs: metadata
runs-on: ubuntu-latest
steps:
# Setting status on the PR's head commit is needed in order to associate this workflow run with the PR, since this
# workflow is not directly triggered by the PR.
- name: Set commit status as pending
# release notes: https://github.com/myrotvorets/set-commit-status-action/releases/tag/v2.0.1
uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # ratchet:myrotvorets/set-commit-status-action@v2.0.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
sha: ${{ needs.metadata.outputs.commit_sha }}
status: pending
context: Check PR approval
# release notes: https://github.com/actions/checkout/releases/tag/v4.1.7
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4
with:
# The default ref when triggered by the workflow_run event is the default branch -- main
# This means the build-tools from the main branch will always be used.
persist-credentials: false
submodules: false
# install and configure node, pnpm and the changeset tools
# release notes: https://github.com/pnpm/action-setup/releases/tag/v4.0.0
- uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # ratchet:pnpm/action-setup@v4
# release notes: https://github.com/actions/setup-node/releases/tag/v4.0.3
- uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # ratchet:actions/setup-node@v4
with:
node-version-file: .nvmrc
cache: "pnpm"
cache-dependency-path: pnpm-lock.yaml
- name: Install Fluid build tools
continue-on-error: true
run: |
cd build-tools
pnpm install --frozen-lockfile
pnpm run build:compile
# We want flub available to call, so we run npm link in the build-cli package, which creates shims that are avilable on the PATH
# Use npm link instead of pnpm link because it handles bins better
cd packages/build-cli
npm link
- name: Check build-tools installation
run: |
# Info for debugging
which flub
flub --help
flub commands
- name: Check PR approval
id: check-pr
env:
# The standard token doesn't have org:read permissions, and that scope can't be added using permissions in
# the workflow.
GITHUB_TOKEN: ${{ secrets.ORGANIZATION_READ_PAT }}
continue-on-error: true
run: |
# This command will fail with an error if the PR is not approved, which
# will in turn cause the CI job to fail.
flub check prApproval \
--pr ${{ needs.metadata.outputs.pr_num }} \
--repo ${{ github.repository }} \
--team FluidFramework-ReleaseApprovers
- name: Set commit status as success
if: steps.check-pr.outcome == 'success'
# release notes: https://github.com/myrotvorets/set-commit-status-action/releases/tag/v2.0.1
uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # ratchet:myrotvorets/set-commit-status-action@v2.0.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
sha: ${{ needs.metadata.outputs.commit_sha }}
status: success
context: Check PR approval
- name: Set commit status as failure
if: steps.check-pr.outcome != 'success'
# release notes: https://github.com/myrotvorets/set-commit-status-action/releases/tag/v2.0.1
uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # ratchet:myrotvorets/set-commit-status-action@v2.0.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
sha: ${{ needs.metadata.outputs.commit_sha }}
status: failure
context: Check PR approval