Backend PR Labeler #2116
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Backend PR Labeler | |
on: | |
pull_request: | |
types: [opened, reopened, review_requested, review_request_removed, ready_for_review, converted_to_draft, labeled, unlabeled] | |
pull_request_review: | |
types: [submitted] | |
workflow_run: | |
workflows: | |
- "Code Checks" | |
types: [completed] | |
jobs: | |
get-pr-data: | |
runs-on: ubuntu-latest | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
outputs: | |
pr_number: ${{ steps.get_pr_data.outputs.pr_number }} | |
pr_draft: ${{ steps.get_pr_data.outputs.pr_draft }} | |
pr_labels: ${{ steps.get_pr_data.outputs.pr_labels }} | |
pr_requested_teams: ${{ steps.get_pr_data.outputs.pr_requested_teams }} | |
steps: | |
- name: Get pull_request data | |
id: get_pr_data | |
run: | | |
if ${{ github.event_name == 'pull_request' || github.event_name == 'pull_request_review'}}; then | |
echo "pr_number=${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT | |
echo "pr_draft=${{ github.event.pull_request.draft }}" >> $GITHUB_OUTPUT | |
echo "pr_labels=$(echo '${{ toJSON(github.event.pull_request.labels.*.name) }}' | jq -c '.')" >> $GITHUB_OUTPUT | |
echo "pr_requested_teams=$(echo '${{ toJSON(github.event.pull_request.requested_teams.*.name) }}' | jq -c '.')" >> $GITHUB_OUTPUT | |
elif ${{ github.event_name == 'workflow_run' }}; then | |
if ${{ github.event.workflow_run.event == 'push' }}; then | |
echo "Workflow was triggered by push to ${{ github.event.workflow_run.head_branch }}. Labeling not required." | |
exit 0 | |
elif ${{ toJSON(github.event.workflow_run.pull_requests) != '[]' }}; then | |
PR_NUMBER="${{ github.event.workflow_run.pull_requests[0].number }}" | |
echo "pr_number=${PR_NUMBER}" >> $GITHUB_OUTPUT | |
# Fetch PR details from GitHub API | |
PR_INFO=$(gh api /repos/${{ github.repository }}/pulls/${PR_NUMBER} --jq '{ | |
draft: .draft, | |
labels: [.labels[].name], | |
requested_teams: [.requested_teams[].slug] | |
}') | |
# Extract and store individual fields | |
echo "pr_draft=$(echo "$PR_INFO" | jq -r '.draft')" >> $GITHUB_OUTPUT | |
echo "pr_labels=$(echo "$PR_INFO" | jq -c '.labels')" >> $GITHUB_OUTPUT | |
echo "pr_requested_teams=$(echo "$PR_INFO" | jq -c '.requested_teams')" >> $GITHUB_OUTPUT | |
else | |
echo "Workflow run has no associated pull requests. Labeling not performed." | |
exit 0 | |
fi | |
else | |
echo "event_name: ${{ github.event_name }}" | |
echo "Pull Request not successfully retrieved." | |
exit 1 | |
fi | |
- name: Echo PR data | |
if: ${{ steps.get_pr_data.outputs.pr_number != '' }} | |
run: | | |
echo "pr_number: ${{ steps.get_pr_data.outputs.pr_number }}" | |
echo "pr_draft: ${{ steps.get_pr_data.outputs.pr_draft }}" | |
echo "pr_labels: ${{ steps.get_pr_data.outputs.pr_labels }}" | |
echo "pr_labels: ${{ fromJson(steps.get_pr_data.outputs.pr_labels)[0] }}" | |
echo "pr_requested_teams: ${{ steps.get_pr_data.outputs.pr_requested_teams }}" | |
echo "pr_requested_teams: ${{ fromJSON(steps.get_pr_data.outputs.pr_requested_teams)[0] }}" | |
check-pr-status: | |
runs-on: ubuntu-latest | |
needs: get-pr-data | |
if: ${{ needs.get-pr-data.outputs.pr_number != '' }} | |
env: | |
pr_labels: ${{ needs.get-pr-data.outputs.pr_labels }} | |
pr_requested_teams: ${{ needs.get-pr-data.outputs.pr_requested_teams }} | |
outputs: | |
test_status: ${{ steps.get_code_checks_conclusion.outputs.test_status }} | |
exempt: ${{ steps.check_exemption.outputs.exempt }} | |
failures_detected: ${{ steps.audit_pr_labels.outputs.failures_detected }} | |
steps: | |
- name: Print vars (DELETE ME) | |
run: | | |
echo "pr_labels=${{ needs.get-pr-data.outputs.pr_labels }}" | |
echo "pr_requested_teams=${{ needs.get-pr-data.outputs.pr_requested_teams }}" | |
- name: Get Code Checks result | |
if: github.event_name == 'workflow_run' | |
run: | | |
echo "test_status=${{ github.event.workflow_run.conclusion }}" >> $GITHUB_OUTPUT | |
echo "test_status: ${{ github.event.workflow_run.conclusion }}" | |
- name: Check for exemption | |
id: check_exemption | |
run: | | |
if ${{ contains(fromJSON(env.pr_requested_teams), 'backend-review-group') }}; then | |
echo "exempt=false" >> $GITHUB_OUTPUT | |
echo "PR requires backend approval." | |
else | |
echo "exempt=true" >> $GITHUB_OUTPUT | |
echo "PR is exempt from backend approval." | |
fi | |
- name: Check for failure labels | |
id: audit_pr_labels | |
run: | | |
if \ | |
${{ contains(env.pr_labels, 'code-health-failure') }} || \ | |
${{ contains(env.pr_labels, 'codeowners-addition-failure') }} || \ | |
${{ contains(env.pr_labels, 'codeowners-delete-failure') }} || \ | |
${{ contains(env.pr_labels, 'lint-failure') }} || \ | |
${{ contains(env.pr_labels, 'test-failure') }} ; then | |
echo "failures_detected=true" >> $GITHUB_OUTPUT | |
echo "Failure labels detected." | |
else | |
echo "failures_detected=false" >> $GITHUB_OUTPUT | |
echo "No failure labels detected." | |
fi | |
check-approvals: | |
runs-on: ubuntu-latest | |
needs: [get-pr-data, check-pr-status] | |
if: ${{ needs.check-pr-status.outputs.exempt == 'false' && needs.check-pr-status.outputs.pr_draft == 'false' }} | |
env: | |
pr_number: ${{ needs.get-pr-data.outputs.pr_number }} | |
outputs: | |
approval_status: ${{ steps.verify_approval.outputs.approval_status }} | |
steps: | |
- name: Print vars (DELETE ME) | |
run: | | |
echo "pr_number=${{ env.pr_number }}" | |
- name: Configure AWS Credentials | |
uses: aws-actions/[email protected] | |
with: | |
aws-access-key-id: ${{ secrets.aws_access_key_id }} | |
aws-secret-access-key: ${{ secrets.aws_secret_access_key }} | |
aws-region: "us-gov-west-1" | |
- name: Get bot token from Parameter Store | |
uses: marvinpinto/action-inject-ssm-secrets@latest | |
with: | |
ssm_parameter: /devops/VA_VSP_BOT_GITHUB_TOKEN | |
env_variable_name: VA_VSP_BOT_GITHUB_TOKEN | |
- name: Get PR Reviews | |
id: get_pr_reviews | |
uses: octokit/[email protected] | |
with: | |
route: GET /repos/${{ github.repository }}/pulls/${{ env.pr_number }}/reviews | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Get backend-review-group members | |
id: get_team_members | |
uses: octokit/[email protected] | |
with: | |
route: GET /orgs/department-of-veterans-affairs/teams/backend-review-group/members | |
env: | |
GITHUB_TOKEN: ${{ env.VA_VSP_BOT_GITHUB_TOKEN }} | |
# Confirm an approval exists from at least one BE team member | |
- name: Verify backend-review-group approval | |
id: verify_approval | |
run: | | |
BACKEND_REVIEWERS=$(cat <<'EOF' | jq -r '.[].login' | tr '\n' '|' | sed 's/|$//' | |
${{ steps.get_team_members.outputs.data }} | |
EOF | |
) | |
APPROVALS=$(cat <<'EOF' | jq -r '.[] | select(.state == "APPROVED") | .user.login' | grep -iE "$BACKEND_REVIEWERS" | wc -l | |
${{ steps.get_pr_reviews.outputs.data }} | |
EOF | |
) | |
echo "Number of backend-review-group approvals: $APPROVALS" | |
if [ "$APPROVALS" -eq 0 ]; then | |
echo "approval_status=required" >> $GITHUB_OUTPUT | |
echo "Backend-review-group approval required." | |
else | |
echo "approval_status=confirmed" >> $GITHUB_OUTPUT | |
echo "Backend-review-group approval confirmed." | |
fi | |
apply-labels: | |
runs-on: ubuntu-latest | |
needs: [get-pr-data, check-pr-status, check-approvals] | |
if: ${{ always() }} | |
env: | |
exempt: ${{ needs.check-pr-status.outputs.exempt }} | |
pr_number: ${{ needs.get-pr-data.outputs.pr_number }} | |
pr_draft: ${{ needs.get-pr-data.outputs.pr_draft }} | |
pr_labels: ${{ needs.get-pr-data.outputs.pr_labels }} | |
test_status: ${{ needs.check-pr-status.outputs.test_status }} | |
failures_detected: ${{ needs.check-pr-status.outputs.failures_detected }} | |
approval_status: ${{ needs.check-approvals.outputs.approval_status }} | |
steps: | |
- name: print vars (DELETE ME) | |
id: print-vars | |
run: | | |
echo ${{ env.exempt }} | |
echo ${{ env.pr_number }} | |
echo ${{ env.pr_draft }} | |
echo ${{ env.pr_labels }} | |
echo ${{ env.test_status }} | |
echo ${{ env.failures_detected }} | |
echo ${{ env.approval_status }} |