CI: Add workflow for author approved label (#98815)

* add workflow for author approved label * add token/repo * Update .github/workflows/author_approval.yml * fixes from testing in other repo * rename * Update .github/workflows/author_approval.yml * Update author_approval.yml * Apply suggestions from code review Co-authored-by: Dilum Aluthge <[email protected]> * Apply suggestions from code review Co-authored-by: Dilum Aluthge <[email protected]> * Update .github/workflows/author_approval.yml * Update .github/workflows/author_approval.yml Co-authored-by: Dilum Aluthge <[email protected]> --------- Co-authored-by: Dilum Aluthge <[email protected]>
JuliaRegistries · Jan 29, 2024 · 75343fd · 75343fd
1 parent f74e4f4
commit 75343fd
Showing 1 changed file with 49 additions and 0 deletions.
diff --git a/.github/workflows/author_approval.yml b/.github/workflows/author_approval.yml
@@ -0,0 +1,49 @@
+name: Author Approval Label
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  label:
+    permissions:
+        # We need `write` permissions on `pull-requests` in order to be able to
+        # add/remove labels from PRs. As far as we can tell, there is no narrower
+        # permission that we can use.
+        pull-requests: write
+    runs-on: ubuntu-latest
+    # Run on comments that are satisfy all of the following:
+    # 1) on PRs, not issues,
+    # 2) not from bot users
+    # 3) include the string "[merge approved]"
+    # If so, we will do the work to check that the commenter is the package author,
+    # and conditionally apply the author-approved label.
+    # note: `[merge approved]` here is NOT case-sensitive, see https://docs.github.com/en/actions/learn-github-actions/expressions#contains
+    if: ${{ github.event.issue.pull_request && github.event.issue.user.type != 'Bot' && contains(github.event.comment.body, '[merge approved]') }}
+    steps:
+      - name: Verify package author
+        id: verify-author
+        env:
+          # We use an env variable, not direct interpolation into the script, for security:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          PR_BODY: ${{ github.event.issue.body }}
+          COMMENTER: ${{ github.event.comment.user.login }}
+        shell: julia --compile=min --optimize=0 --color=yes {0}
+        run: |
+          m = match(r"Created by: @([A-Za-z0-9]*+)(?:$|\n)", ENV["PR_BODY"])
+          verified = !isnothing(m) && m[1] == ENV["COMMENTER"]
+          println("Matched user: ", m === nothing ? nothing : m[1])
+          println("Commenter: ", ENV["COMMENTER"])
+          println("Verified: ", verified)
+          open(ENV["GITHUB_OUTPUT"], "a") do io
+            println(io, "verified=$verified")
+          end
+      - name: Add label
+        if: ${{ steps.verify-author.outputs.verified == 'true' }}
+        env:
+          PR_NUM: ${{ github.event.issue.number }}
+          # We cannot use `${{ secrets.GITHUB_TOKEN }}` here, because
+          # if we use `GITHUB_TOKEN` here, then the "label created" event
+          # will not trigger any further GitHub Actions.
+          GH_TOKEN: ${{ secrets.TAGBOT_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+        run: gh pr edit "${PR_NUM:?}" --add-label "Override AutoMerge: package author approved"