From c1d78b1619798e4a03ad44a1178304ef18c4485d Mon Sep 17 00:00:00 2001 From: Mathieu Kardous Date: Tue, 28 Jan 2025 12:13:22 -0500 Subject: [PATCH 1/3] add require admin check workflow --- .github/workflows/silabs-open-csa-pr.yaml | 3 +- .../silabs-require-admin-action-check.yaml | 37 +++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/silabs-require-admin-action-check.yaml diff --git a/.github/workflows/silabs-open-csa-pr.yaml b/.github/workflows/silabs-open-csa-pr.yaml index efde7f698a..2c401a9307 100644 --- a/.github/workflows/silabs-open-csa-pr.yaml +++ b/.github/workflows/silabs-open-csa-pr.yaml @@ -36,7 +36,8 @@ jobs: **PR MUST BE MERGED WITH MERGE COMMIT - ADMIN MUST ENABLE THE OPTION** token: ${{secrets.GITHUB_TOKEN}} - labels: changing-submodules-on-purpose + labels: + changing-submodules-on-purpose, sl-require-admin-action # The next step is necessary to force the CI to be executed when a PR is opened by the github-bot. # The PR event isn't triggered when the bot opens the PR and as such doesn't trigger the workflows that use the event as their trigger. diff --git a/.github/workflows/silabs-require-admin-action-check.yaml b/.github/workflows/silabs-require-admin-action-check.yaml new file mode 100644 index 0000000000..d988ae6c59 --- /dev/null +++ b/.github/workflows/silabs-require-admin-action-check.yaml @@ -0,0 +1,37 @@ +name: Check for sl-require-admin-action label + +on: + pull_request: + branches: + - main + - release_* + types: + - opened + - reopened + - synchronize + - labeled + - unlabeled + +permissions: + pull-requests: write + +jobs: + check-label: + runs-on: ubuntu-latest + steps: + - name: Check for sl-require-admin-action label + run: | + PR_NUMBER=${{ github.event.pull_request.number }} + LABELS=$(gh pr view $PR_NUMBER --repo ${{ github.repository }} --json labels --jq '.labels[].name') + if echo "$LABELS" | grep -q "sl-require-admin-action"; then + echo "The sl-require-admin-action label is present. Failing the job." + COMMENTS=$(gh pr view $PR_NUMBER --repo ${{ github.repository }} --json comments --jq '.comments[].body') + if ! echo "$COMMENTS" | grep -q "The CI failure for this job is normal. An admin must do the merge."; then + gh pr comment $PR_NUMBER --repo ${{ github.repository }} --body "The CI failure for this job is normal. An admin must do the merge." + fi + exit 1 + else + echo "The sl-require-admin-action label is not present. Passing the job." + fi + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} From 1a36d61fd62356bbdbfb393e7833f702505af50b Mon Sep 17 00:00:00 2001 From: Mathieu Kardous Date: Tue, 28 Jan 2025 12:17:33 -0500 Subject: [PATCH 2/3] add label removal check --- .../silabs-require-admin-action-check.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/silabs-require-admin-action-check.yaml b/.github/workflows/silabs-require-admin-action-check.yaml index d988ae6c59..9ec1b4ca93 100644 --- a/.github/workflows/silabs-require-admin-action-check.yaml +++ b/.github/workflows/silabs-require-admin-action-check.yaml @@ -35,3 +35,21 @@ jobs: fi env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + + prevent-label-removal: + runs-on: ubuntu-latest + steps: + - name: Prevent sl-require-admin-action label removal + if: github.event.action == 'unlabeled' + run: | + PR_NUMBER=${{ github.event.pull_request.number }} + REMOVED_LABEL=${{ github.event.label.name }} + if [ "$REMOVED_LABEL" == "sl-require-admin-action" ]; then + echo "The sl-require-admin-action label cannot be removed. Failing the job." + gh pr comment $PR_NUMBER --repo ${{ github.repository }} --body "The sl-require-admin-action label cannot be removed once it has been added." + exit 1 + else + echo "A different label was removed. Passing the job." + fi + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} From 10f5b1c76be6fc1c9a9ee9068db941fec0ad69aa Mon Sep 17 00:00:00 2001 From: Mathieu Kardous Date: Tue, 28 Jan 2025 12:28:59 -0500 Subject: [PATCH 3/3] only post comment once for the label removal --- .github/workflows/silabs-require-admin-action-check.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/silabs-require-admin-action-check.yaml b/.github/workflows/silabs-require-admin-action-check.yaml index 9ec1b4ca93..bcdd2d80a3 100644 --- a/.github/workflows/silabs-require-admin-action-check.yaml +++ b/.github/workflows/silabs-require-admin-action-check.yaml @@ -46,7 +46,10 @@ jobs: REMOVED_LABEL=${{ github.event.label.name }} if [ "$REMOVED_LABEL" == "sl-require-admin-action" ]; then echo "The sl-require-admin-action label cannot be removed. Failing the job." - gh pr comment $PR_NUMBER --repo ${{ github.repository }} --body "The sl-require-admin-action label cannot be removed once it has been added." + COMMENTS=$(gh pr view $PR_NUMBER --repo ${{ github.repository }} --json comments --jq '.comments[].body') + if ! echo "$COMMENTS" | grep -q "The sl-require-admin-action label cannot be removed once it has been added."; then + gh pr comment $PR_NUMBER --repo ${{ github.repository }} --body "The sl-require-admin-action label cannot be removed once it has been added." + fi exit 1 else echo "A different label was removed. Passing the job."