Skip to content

release-approval

release-approval #8

# release-approval.yml
#
# This workflow checks that a PR has been reviewed by a member of FluidFramework-ReleaseApprovers.
#
# This workflow is normally triggered by the completion of the release-branches workflow. However, it can also be run
# manually using the GitHub UI and providing a PR number.
name: release-approval
on:
workflow_run:
# Workflow is typically triggered by the completion of the release-branches workflow.
workflows: [release-branches]
types: [completed]
# Only workflow runs from these branches will trigger this workflow.
# branches:
# - release/client/**
# - release/server/**
# - test/release/**
# The workflow can be triggered manually in the GitHub UI.
workflow_dispatch:
inputs:
pr:
description: "PR number on which to run approval checks"
required: true
permissions:
actions: read
pull-requests: read
statuses: write
jobs:
# on-failure:
# name: Check upstream workflow status
# if: github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'failure'
# runs-on: ubuntu-latest
# steps:
# - run: echo "The triggering workflow failed"
metadata:
name: Get PR metadata
runs-on: ubuntu-latest
outputs:
pr_num: ${{ steps.workflow_run_load_pr.outputs.pr_num || steps.workflow_dispatch_load_pr.outputs.pr_num }}
is_release_branch: ${{ steps.workflow_run_is_release_branch.outputs.is_release_branch || steps.workflow_dispatch_is_release_branch.outputs.is_release_branch }}
commit_sha: ${{ steps.workflow_run_load_commit_sha.outputs.commit_sha }}
steps:
### These steps run on workflow_run event only ###
- name: Download metadata
if: github.event_name == 'workflow_run'
# release notes: https://github.com/dawidd6/action-download-artifact/releases/tag/v6
uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # ratchet:dawidd6/action-download-artifact@v6
with:
workflow: release-branches.yml
# workflow_conclusion: completed
run_id: ${{ github.event.workflow_run.id }}
name: release-branch-pr-metadata
path: ./artifacts
- name: "workflow_run: Load PR number"
id: workflow_run_load_pr
if: github.event_name == 'workflow_run'
working-directory: ./artifacts
run: echo "pr_num=$(cat pr)" >> $GITHUB_OUTPUT
- name: "workflow_run: Load is_release_branch"
id: workflow_run_is_release_branch
if: github.event_name == 'workflow_run'
working-directory: ./artifacts
run: echo "is_release_branch=$(cat is_release_branch)" >> $GITHUB_OUTPUT
- name: "workflow_run: Load commit_sha"
id: workflow_run_load_commit_sha
if: github.event_name == 'workflow_run'
working-directory: ./artifacts
run: echo "commit_sha=$(cat commit_sha)" >> $GITHUB_OUTPUT
### These steps run on workflow_dispatch event only ###
- name: "workflow_dispatch: Load PR number"
id: workflow_dispatch_load_pr
if: github.event_name == 'workflow_dispatch'
run: echo "pr_num=${{ github.event.inputs.pr }}" >> $GITHUB_OUTPUT
- name: "workflow_dispatch: Load is_release_branch"
id: workflow_dispatch_is_release_branch
if: github.event_name == 'workflow_dispatch'
run: echo "is_release_branch=true" >> $GITHUB_OUTPUT
check_approval:
name: Check PR approval
if: needs.metadata.outputs.is_release_branch == 'true'
needs: metadata
runs-on: ubuntu-latest
steps:
- name: Set commit status as pending
# release notes: https://github.com/myrotvorets/set-commit-status-action/releases/tag/v2.0.1
uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # ratchet:myrotvorets/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
sha: ${{ needs.metadata.outputs.commit_sha }}
status: pending
context: Check PR approval
# release notes: https://github.com/actions/checkout/releases/tag/v4.1.7
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4
with:
# The default ref when triggered by the workflow_run event is the default branch -- main
# This means the build-tools from the main branch will always be used.
persist-credentials: false
submodules: false
# install and configure node, pnpm and the changeset tools
# release notes: https://github.com/pnpm/action-setup/releases/tag/v4.0.0
- uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # ratchet:pnpm/action-setup@v4
# release notes: https://github.com/actions/setup-node/releases/tag/v4.0.3
- uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # ratchet:actions/setup-node@v4
with:
node-version-file: .nvmrc
cache: "pnpm"
cache-dependency-path: pnpm-lock.yaml
- name: Install Fluid build tools
continue-on-error: true
run: |
cd build-tools
pnpm install --frozen-lockfile
pnpm run build:compile
# We want flub available to call, so we run npm link in the build-cli package, which creates shims that are avilable on the PATH
# Use npm link instead of pnpm link because it handles bins better
cd packages/build-cli
npm link
- name: Check build-tools installation
run: |
# Info for debugging
which flub
flub --help
flub commands
- name: Check PR approval
id: check-pr
env:
# The standard token doesn't have org:read permissions, and that scope can't be added using permissions in
# the workflow.
# GITHUB_TOKEN: ${{ secrets.ORGANIZATION_READ_PAT }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
continue-on-error: true
run: |
# This command will fail with an error if the PR is not approved, which
# will in turn cause the CI job to fail.
flub check prApproval \
--pr ${{ needs.metadata.outputs.pr_num }} \
--repo ${{ github.repository }} \
--team FluidFramework-ReleaseApprovers
- name: Set commit status as success
if: steps.check-pr.outcome == 'success'
# release notes: https://github.com/myrotvorets/set-commit-status-action/releases/tag/v2.0.1
uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # ratchet:myrotvorets/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
sha: ${{ needs.metadata.outputs.commit_sha }}
status: success
context: Check PR approval
- name: Set commit status as failure
if: steps.check-pr.outcome != 'success'
# release notes: https://github.com/myrotvorets/set-commit-status-action/releases/tag/v2.0.1
uses: myrotvorets/set-commit-status-action@3730c0a348a2ace3c110851bed53331bc6406e9f # ratchet:myrotvorets/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
status: failure
context: Check PR approval