feat(IDX): add internal-external workflow (#99)

* feat(IDX): add internal-external workflow * updates * comment * empty commit * updates * debug * debug * another try * re-introduce code * test with different token * remove * empty commit * empty commit * switch to CLA bot * add message * empty commit * try without bot * fix unbound var * add comments * remove line
dfinity · Jan 23, 2025 · 2424cc8 · 2424cc8
1 parent 1a6024c
commit 2424cc8
Showing 1 changed file with 87 additions and 0 deletions.
diff --git a/.github/workflows/internal_vs_external.yml b/.github/workflows/internal_vs_external.yml
@@ -0,0 +1,87 @@
+# Checks to see which reviews are required based on internal vs external contribution
+
+name: Internal vs External Review
+
+on:
+  pull_request:
+    types:
+      - ready_for_review
+      - synchronize
+  merge_group: # merge group is always needed for a required workflows to prevent them from getting stuck, but we then skip it below
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  check-membership:
+    name: Check Membership
+    runs-on: ubuntu-latest
+    # Dont run this workflow on merge queue
+    if:  ${{ github.event_name != 'merge_group' }}
+    outputs:
+      is_member: ${{ steps.check-membership.outputs.is_member}}
+    steps:
+      - name: Create GitHub App Token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ vars.CLA_BOT_APP_ID }}
+          private-key: ${{ secrets.CLA_BOT_PRIVATE_KEY }}
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          repository: 'dfinity/public-workflows'
+
+      - name: Python Setup
+        uses: ./.github/workflows/python-setup
+
+      - name: Check Membership
+        id:  check-membership
+        run: python reusable_workflows/check_membership/check_membership.py
+        shell: bash
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          GH_ORG: ${{ github.repository_owner }}
+          USER: ${{ github.event.pull_request.user.login }}
+
+  revoke-approvals:
+    name: Revoke Approvals
+    runs-on: ubuntu-latest
+    needs: check-membership
+    if: ${{ needs.check-membership.outputs.is_member != 'true' && needs.check-membership.result == 'success' }}
+    steps:
+      - name: Dismiss Pull Request Reviews
+        run: |
+          set -euo pipefail
+
+          # get existing reviews
+          reviews=$(curl -s -H "Authorization: token ${GH_TOKEN}" \
+            "https://api.github.com/repos/${GH_ORG}/${REPO}/pulls/${PULL_NUMBER}/reviews")
+
+          # If no reviews were given, then exit script
+          if [ -z "$reviews" ] || [ "$reviews" == "[]" ]; then
+            echo "No reviews to dismiss"
+            exit 0
+          fi
+
+          # dismiss PR reviews
+          for review_id in $(echo "${reviews}" | jq -r '.[] | select(.state == "APPROVED") | .id'); do
+            response=$(curl -s -o /dev/null -w "%{http_code}" -X PUT -H "Authorization: token ${GH_TOKEN}" \
+              -H "Accept: application/vnd.github.v3+json" \
+              -d '{"message": "Review dismissed by automation script."}' \
+              "https://api.github.com/repos/${GH_ORG}/${REPO}/pulls/${PULL_NUMBER}/reviews/${review_id}/dismissals")
+            if [ "$response" -eq 200 ]; then
+              echo "Dismissed review ${review_id}"
+            else
+              echo "Failed to dismiss review ${review_id}, HTTP status code: $response"
+              exit 1
+            fi
+          done
+        shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # actor is github actions with above permissions
+          GH_ORG: ${{ github.repository_owner }}
+          REPO: ${{ github.event.repository.name }}
+          PULL_NUMBER: ${{ github.event.pull_request.number }}