From de38cb20274fd5eb8ccd6c590704d6f3089a9395 Mon Sep 17 00:00:00 2001 From: Eric Hanson <5846501+ericphanson@users.noreply.github.com> Date: Sat, 13 Jan 2024 15:49:13 +0100 Subject: [PATCH 01/11] add workflow for author approved label --- .github/workflows/author_approval.yml | 33 +++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/author_approval.yml diff --git a/.github/workflows/author_approval.yml b/.github/workflows/author_approval.yml new file mode 100644 index 000000000000000..d325cb2f7b20a18 --- /dev/null +++ b/.github/workflows/author_approval.yml @@ -0,0 +1,33 @@ +name: Author Approval Label +on: + issue_comment: + types: [created] + +jobs: + label: + runs-on: ubuntu-latest + # Run on comments that are: + # 1) on PRs, not issues, + # 2) not from bot users and, + # 3) include the string "approved" + # If so, we will do the work to check that the commenter is the package author, + # and conditionally apply the author-approved label. + if: ${{ github.event.issue.pull_request && github.event.issue.user.type != 'Bot' && contains(github.event.comment.body, 'approved') }} + steps: + - name: Verify package author + id: verify-author + env: + PR_BODY: ${{ github.event.issue.body }} + COMMENTER: ${{ github.event.comment.user.login }} + shell: julia --color=yes {0} + run: | + m = match(r"Created by: @([^\s]+)", ENV["PR_BODY"]) + verified = !isnothing(m) && m[1] == ENV["COMMENTER"] + open(ENV["GITHUB_OUTPUT"], "a") do io + println(io, "verified=$verified") + end + - name: Add label + if: ${{ steps.verify-author.outputs.verified == 'true' }} + env: + PR_NUM: ${{ github.event.issue.number }} + run: gh pr edit "$PR_NUM" --add-label "author-approved" From 0339249fe94fb0a94d672da09e5e8ec564912177 Mon Sep 17 00:00:00 2001 From: Eric Hanson <5846501+ericphanson@users.noreply.github.com> Date: Sat, 13 Jan 2024 15:57:18 +0100 Subject: [PATCH 02/11] add token/repo --- .github/workflows/author_approval.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/author_approval.yml b/.github/workflows/author_approval.yml index d325cb2f7b20a18..fbb5b94ae5b6e5b 100644 --- a/.github/workflows/author_approval.yml +++ b/.github/workflows/author_approval.yml @@ -30,4 +30,6 @@ jobs: if: ${{ steps.verify-author.outputs.verified == 'true' }} env: PR_NUM: ${{ github.event.issue.number }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_REPO: ${{ github.repository }} run: gh pr edit "$PR_NUM" --add-label "author-approved" From 144bb85d8227be0905739c8e07eaf8461cb91686 Mon Sep 17 00:00:00 2001 From: Eric Hanson <5846501+ericphanson@users.noreply.github.com> Date: Sun, 14 Jan 2024 23:17:48 +0100 Subject: [PATCH 03/11] Update .github/workflows/author_approval.yml --- .github/workflows/author_approval.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/author_approval.yml b/.github/workflows/author_approval.yml index fbb5b94ae5b6e5b..94363baa472f51c 100644 --- a/.github/workflows/author_approval.yml +++ b/.github/workflows/author_approval.yml @@ -17,6 +17,8 @@ jobs: - name: Verify package author id: verify-author env: + # We use an env variable, not direct interpolation into the script, for security: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable PR_BODY: ${{ github.event.issue.body }} COMMENTER: ${{ github.event.comment.user.login }} shell: julia --color=yes {0} From 296da4f342398323aaef5f749d35225f1f05581a Mon Sep 17 00:00:00 2001 From: Eric Hanson <5846501+ericphanson@users.noreply.github.com> Date: Sun, 14 Jan 2024 23:49:38 +0100 Subject: [PATCH 04/11] fixes from testing in other repo --- .github/workflows/author_approval.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/author_approval.yml b/.github/workflows/author_approval.yml index 94363baa472f51c..548d4b74202db6d 100644 --- a/.github/workflows/author_approval.yml +++ b/.github/workflows/author_approval.yml @@ -5,6 +5,8 @@ on: jobs: label: + permissions: + pull-requests: write runs-on: ubuntu-latest # Run on comments that are: # 1) on PRs, not issues, @@ -21,10 +23,13 @@ jobs: # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable PR_BODY: ${{ github.event.issue.body }} COMMENTER: ${{ github.event.comment.user.login }} - shell: julia --color=yes {0} + shell: julia --compile=min --optimize=0 --color=yes {0} run: | m = match(r"Created by: @([^\s]+)", ENV["PR_BODY"]) verified = !isnothing(m) && m[1] == ENV["COMMENTER"] + println("Matched user: ", m === nothing ? nothing : m[1]) + println("Commenter: ", ENV["COMMENTER"]) + println("Verified: ", verified) open(ENV["GITHUB_OUTPUT"], "a") do io println(io, "verified=$verified") end From e73a2c339abb692deafc382ad9f0c32c14a22b08 Mon Sep 17 00:00:00 2001 From: Eric Hanson <5846501+ericphanson@users.noreply.github.com> Date: Sun, 14 Jan 2024 23:49:45 +0100 Subject: [PATCH 05/11] rename --- .github/workflows/author_approval.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/author_approval.yml b/.github/workflows/author_approval.yml index 548d4b74202db6d..faaf2d55b487b78 100644 --- a/.github/workflows/author_approval.yml +++ b/.github/workflows/author_approval.yml @@ -39,4 +39,4 @@ jobs: PR_NUM: ${{ github.event.issue.number }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GH_REPO: ${{ github.repository }} - run: gh pr edit "$PR_NUM" --add-label "author-approved" + run: gh pr edit "$PR_NUM" --add-label "package-author-approved" From 4c94f6c9aa26f6ef7c3b421a140274baf4d8c04c Mon Sep 17 00:00:00 2001 From: Eric Hanson <5846501+ericphanson@users.noreply.github.com> Date: Tue, 16 Jan 2024 13:07:43 +0100 Subject: [PATCH 06/11] Update .github/workflows/author_approval.yml --- .github/workflows/author_approval.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/author_approval.yml b/.github/workflows/author_approval.yml index faaf2d55b487b78..cae9617e529e3d5 100644 --- a/.github/workflows/author_approval.yml +++ b/.github/workflows/author_approval.yml @@ -14,6 +14,7 @@ jobs: # 3) include the string "approved" # If so, we will do the work to check that the commenter is the package author, # and conditionally apply the author-approved label. + # note: `approved` here is case-sensitive if: ${{ github.event.issue.pull_request && github.event.issue.user.type != 'Bot' && contains(github.event.comment.body, 'approved') }} steps: - name: Verify package author From 2f49d9c0b65aa67685f48e44e891c487790a48df Mon Sep 17 00:00:00 2001 From: Eric Hanson <5846501+ericphanson@users.noreply.github.com> Date: Sat, 27 Jan 2024 22:04:57 +0100 Subject: [PATCH 07/11] Update author_approval.yml --- .github/workflows/author_approval.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/author_approval.yml b/.github/workflows/author_approval.yml index cae9617e529e3d5..b4d4f1a51d11e9b 100644 --- a/.github/workflows/author_approval.yml +++ b/.github/workflows/author_approval.yml @@ -11,11 +11,11 @@ jobs: # Run on comments that are: # 1) on PRs, not issues, # 2) not from bot users and, - # 3) include the string "approved" + # 3) include the string "merge approved" # If so, we will do the work to check that the commenter is the package author, # and conditionally apply the author-approved label. - # note: `approved` here is case-sensitive - if: ${{ github.event.issue.pull_request && github.event.issue.user.type != 'Bot' && contains(github.event.comment.body, 'approved') }} + # note: `merge approved` here is NOT case-sensitive, see https://docs.github.com/en/actions/learn-github-actions/expressions#contains + if: ${{ github.event.issue.pull_request && github.event.issue.user.type != 'Bot' && contains(github.event.comment.body, 'merge approved') }} steps: - name: Verify package author id: verify-author From 18ecf40403382a869fce5112f7131e55774afa22 Mon Sep 17 00:00:00 2001 From: Eric Hanson <5846501+ericphanson@users.noreply.github.com> Date: Mon, 29 Jan 2024 01:01:35 +0100 Subject: [PATCH 08/11] Apply suggestions from code review Co-authored-by: Dilum Aluthge --- .github/workflows/author_approval.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/author_approval.yml b/.github/workflows/author_approval.yml index b4d4f1a51d11e9b..de85bcba6d1d551 100644 --- a/.github/workflows/author_approval.yml +++ b/.github/workflows/author_approval.yml @@ -6,11 +6,14 @@ on: jobs: label: permissions: + # We need `write` permissions on `pull-requests` in order to be able to + # add/remove labels from PRs. As far as we can tell, there is no narrower + # permission that we can use. pull-requests: write runs-on: ubuntu-latest - # Run on comments that are: + # Run on comments that are satisfy all of the following: # 1) on PRs, not issues, - # 2) not from bot users and, + # 2) not from bot users # 3) include the string "merge approved" # If so, we will do the work to check that the commenter is the package author, # and conditionally apply the author-approved label. @@ -26,7 +29,7 @@ jobs: COMMENTER: ${{ github.event.comment.user.login }} shell: julia --compile=min --optimize=0 --color=yes {0} run: | - m = match(r"Created by: @([^\s]+)", ENV["PR_BODY"]) + m = match(r"Created by: @([A-Za-z0-9]*+)(?:$|\n)", ENV["PR_BODY"]) verified = !isnothing(m) && m[1] == ENV["COMMENTER"] println("Matched user: ", m === nothing ? nothing : m[1]) println("Commenter: ", ENV["COMMENTER"]) @@ -38,6 +41,9 @@ jobs: if: ${{ steps.verify-author.outputs.verified == 'true' }} env: PR_NUM: ${{ github.event.issue.number }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # We cannot use `${{ secrets.GITHUB_TOKEN }}` here, because + # if we use `GITHUB_TOKEN` here, then the "label created" event + # will not trigger any further GitHub Actions. + GH_TOKEN: ${{ secrets.TAGBOT_TOKEN }} GH_REPO: ${{ github.repository }} run: gh pr edit "$PR_NUM" --add-label "package-author-approved" From 8335718e0a78486f45b2e5e88eff759bfca7fdd5 Mon Sep 17 00:00:00 2001 From: Eric Hanson <5846501+ericphanson@users.noreply.github.com> Date: Mon, 29 Jan 2024 01:10:34 +0100 Subject: [PATCH 09/11] Apply suggestions from code review Co-authored-by: Dilum Aluthge --- .github/workflows/author_approval.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/author_approval.yml b/.github/workflows/author_approval.yml index de85bcba6d1d551..abffdb3a93bb42b 100644 --- a/.github/workflows/author_approval.yml +++ b/.github/workflows/author_approval.yml @@ -14,11 +14,12 @@ jobs: # Run on comments that are satisfy all of the following: # 1) on PRs, not issues, # 2) not from bot users - # 3) include the string "merge approved" + # 3) include the string "[merge approved]" + # 4) include the string "[noblock]" # If so, we will do the work to check that the commenter is the package author, # and conditionally apply the author-approved label. - # note: `merge approved` here is NOT case-sensitive, see https://docs.github.com/en/actions/learn-github-actions/expressions#contains - if: ${{ github.event.issue.pull_request && github.event.issue.user.type != 'Bot' && contains(github.event.comment.body, 'merge approved') }} + # note: `[merge approved]` here is NOT case-sensitive, see https://docs.github.com/en/actions/learn-github-actions/expressions#contains + if: ${{ github.event.issue.pull_request && github.event.issue.user.type != 'Bot' && contains(github.event.comment.body, '[merge approved]') }} steps: - name: Verify package author id: verify-author @@ -46,4 +47,4 @@ jobs: # will not trigger any further GitHub Actions. GH_TOKEN: ${{ secrets.TAGBOT_TOKEN }} GH_REPO: ${{ github.repository }} - run: gh pr edit "$PR_NUM" --add-label "package-author-approved" + run: gh pr edit "$PR_NUM" --add-label "Override AutoMerge: package author approved" From cc433578cbfd26122c788411140f878552e5a109 Mon Sep 17 00:00:00 2001 From: Eric Hanson <5846501+ericphanson@users.noreply.github.com> Date: Mon, 29 Jan 2024 01:11:02 +0100 Subject: [PATCH 10/11] Update .github/workflows/author_approval.yml --- .github/workflows/author_approval.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/author_approval.yml b/.github/workflows/author_approval.yml index abffdb3a93bb42b..a817166578a39d5 100644 --- a/.github/workflows/author_approval.yml +++ b/.github/workflows/author_approval.yml @@ -15,7 +15,6 @@ jobs: # 1) on PRs, not issues, # 2) not from bot users # 3) include the string "[merge approved]" - # 4) include the string "[noblock]" # If so, we will do the work to check that the commenter is the package author, # and conditionally apply the author-approved label. # note: `[merge approved]` here is NOT case-sensitive, see https://docs.github.com/en/actions/learn-github-actions/expressions#contains From 9d1fd492a3895fbcfea788b2c7b23af1caebdf3a Mon Sep 17 00:00:00 2001 From: Eric Hanson <5846501+ericphanson@users.noreply.github.com> Date: Mon, 29 Jan 2024 01:21:11 +0100 Subject: [PATCH 11/11] Update .github/workflows/author_approval.yml Co-authored-by: Dilum Aluthge --- .github/workflows/author_approval.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/author_approval.yml b/.github/workflows/author_approval.yml index a817166578a39d5..b38248858887663 100644 --- a/.github/workflows/author_approval.yml +++ b/.github/workflows/author_approval.yml @@ -46,4 +46,4 @@ jobs: # will not trigger any further GitHub Actions. GH_TOKEN: ${{ secrets.TAGBOT_TOKEN }} GH_REPO: ${{ github.repository }} - run: gh pr edit "$PR_NUM" --add-label "Override AutoMerge: package author approved" + run: gh pr edit "${PR_NUM:?}" --add-label "Override AutoMerge: package author approved"