harald/zeroclaw
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 3

fix(ci): keep both workflow owners in approval allowlist (#652)

Browse source 
* fix(ci): always include both workflow owners in approval gate

* fix(ci): allow workflow-owner-authored PRs through owner gate
This commit is contained in:
Will Sarg 2026-02-17 15:34:56 -05:00 committed by GitHub
parent a87ea84073
commit 5be4fd9138
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 14 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

18
.github/workflows/ci.yml vendored
View file

@ -220,27 +220,32 @@ jobs:
- name: Require owner approval for workflow file changes - name: Require owner approval for workflow file changes
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env: env:
WORKFLOW_OWNER_LOGINS: ${{ vars.WORKFLOW_OWNER_LOGINS || 'theonlyhennygod,willsarg' }} WORKFLOW_OWNER_LOGINS: ${{ vars.WORKFLOW_OWNER_LOGINS }}
with: with:
script: | script: |
const owner = context.repo.owner; const owner = context.repo.owner;
const repo = context.repo.repo; const repo = context.repo.repo;
const prNumber = context.payload.pull_request?.number; const prNumber = context.payload.pull_request?.number;
const prAuthor = context.payload.pull_request?.user?.login?.toLowerCase() || "";
if (!prNumber) { if (!prNumber) {
core.setFailed("Missing pull_request context."); core.setFailed("Missing pull_request context.");
return; return;
} }
const ownerAllowlist = (process.env.WORKFLOW_OWNER_LOGINS || "") const baseOwners = ["theonlyhennygod", "willsarg"];
const configuredOwners = (process.env.WORKFLOW_OWNER_LOGINS || "")
.split(",") .split(",")
.map((login) => login.trim().toLowerCase()) .map((login) => login.trim().toLowerCase())
.filter(Boolean); .filter(Boolean);
const ownerAllowlist = [...new Set([...baseOwners, ...configuredOwners])];
if (ownerAllowlist.length === 0) { if (ownerAllowlist.length === 0) {
core.setFailed("WORKFLOW_OWNER_LOGINS is empty. Set a repository variable or use a fallback value."); core.setFailed("Workflow owner allowlist is empty.");
return; return;
} }
core.info(`Workflow owner allowlist: ${ownerAllowlist.join(", ")}`);
const files = await github.paginate(github.rest.pulls.listFiles, { const files = await github.paginate(github.rest.pulls.listFiles, {
owner, owner,
repo, repo,
@ -259,6 +264,11 @@ jobs:
core.info(`Workflow files changed:\n- ${workflowFiles.join("\n- ")}`); core.info(`Workflow files changed:\n- ${workflowFiles.join("\n- ")}`);
if (prAuthor && ownerAllowlist.includes(prAuthor)) {
core.info(`Workflow PR authored by allowlisted owner: @${prAuthor}`);
return;
}
const reviews = await github.paginate(github.rest.pulls.listReviews, { const reviews = await github.paginate(github.rest.pulls.listReviews, {
owner, owner,
repo, repo,
@ -285,7 +295,7 @@ jobs:
const ownerApprover = approvedUsers.find((login) => ownerAllowlist.includes(login)); const ownerApprover = approvedUsers.find((login) => ownerAllowlist.includes(login));
if (!ownerApprover) { if (!ownerApprover) {
core.setFailed( core.setFailed(
`Workflow files changed. Approvals found (${approvedUsers.join(", ")}), but none match WORKFLOW_OWNER_LOGINS.`, `Workflow files changed. Approvals found (${approvedUsers.join(", ")}), but none match workflow owner allowlist.`,
); );
return; return;
} }