server/.github/workflows/dependency-approval-command.yml at dev · khers/server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Dependency Approval via Comment Command
# Allows maintainers to approve dependency changes by commenting /approve-dependencies

name: Dependency Approval Command

on:
  issue_comment:
    types: [created]

permissions:
  issues: write
  pull-requests: write

jobs:
  approve-via-command:
    runs-on: ubuntu-latest
    # Only run on PRs, not issues
    if: github.event.issue.pull_request
    steps:
      - name: Check for approval command
        uses: actions/github-script@v8
        with:
          script: |
            const comment = context.payload.comment;
            const commentBody = comment.body.trim();

            // Check if comment contains the approval command
            if (!commentBody.match(/^\/approve-dependencies$/m)) {
              core.info('Not an approval command, skipping');
              return;
            }

            // Check if the comment creator is a maintainer/admin
            const userPermission = await github.rest.repos.getCollaboratorPermissionLevel({
              owner: context.repo.owner,
              repo: context.repo.repo,
              username: comment.user.login
            });

            const hasPermission = ['admin', 'write'].includes(userPermission.data.permission);

            if (!hasPermission) {
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: context.issue.number,
                body: `❌ @${comment.user.login} does not have permission to approve dependencies. Only maintainers with write access can approve.`
              });
              return;
            }

            // Check if already approved
            const labels = context.payload.issue.labels.map(l => l.name);
            const alreadyApproved = labels.includes('dependencies-reviewed');

            if (alreadyApproved) {
              await github.rest.issues.createComment({
                owner: context.repo.owner,
                repo: context.repo.repo,
                issue_number: context.issue.number,
                body: `ℹ️  Dependencies already approved - \`dependencies-reviewed\` label is present.`
              });
              return;
            }

            // Add the dependencies-reviewed label
            await github.rest.issues.addLabels({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.issue.number,
              labels: ['dependencies-reviewed']
            });

            // Add a confirmation comment
            await github.rest.issues.createComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              issue_number: context.issue.number,
              body: `✅ **Dependencies approved** by @${comment.user.login}\n\nThe \`dependencies-reviewed\` label has been added. Security checks will now pass and this PR can be merged.`
            });

            // Add a reaction to the command comment
            await github.rest.reactions.createForIssueComment({
              owner: context.repo.owner,
              repo: context.repo.repo,
              comment_id: comment.id,
              content: '+1'
            });

            core.info('✅ Dependencies approved and label added');