name: External Plugin Approval Commands on: issue_comment: types: [created] permissions: contents: write issues: write pull-requests: write jobs: handle-command: runs-on: ubuntu-latest if: >- !github.event.issue.pull_request && (contains(github.event.comment.body, '/approve') || contains(github.event.comment.body, '/reject')) steps: - name: Checkout staged branch uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: staged fetch-depth: 0 - name: Setup Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 22 cache: npm - name: Parse decision command id: parse env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 with: script: | const path = require('path'); const { pathToFileURL } = require('url'); const approval = await import(pathToFileURL(path.join(process.env.GITHUB_WORKSPACE, 'eng', 'external-plugin-approval.mjs')).href); const intake = await import(pathToFileURL(path.join(process.env.GITHUB_WORKSPACE, 'eng', 'external-plugin-intake.mjs')).href); const parsedCommand = approval.parseDecisionCommand(context.payload.comment.body); core.setOutput('should-run', 'false'); if (!parsedCommand) { core.info('No supported external plugin approval command was found.'); return; } const permission = await github.rest.repos.getCollaboratorPermissionLevel({ owner: context.repo.owner, repo: context.repo.repo, username: context.payload.comment.user.login }); const hasWriteAccess = ['admin', 'write', 'maintain'].includes(permission.data.permission); if (!hasWriteAccess) { core.info(`Ignoring ${parsedCommand.command} because ${context.payload.comment.user.login} does not have write access.`); return; } const currentIssue = await github.rest.issues.get({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number }); const labelNames = new Set((currentIssue.data.labels || []).map((label) => label.name)); if (!labelNames.has('external-plugin')) { core.info('Ignoring command because the issue is not an external plugin submission.'); return; } const evaluation = await intake.evaluateExternalPluginIssue({ issue: currentIssue.data, token: process.env.GITHUB_TOKEN }); const fallbackName = evaluation.plugin?.name ?? `issue-${context.issue.number}`; const canApprove = labelNames.has('ready-for-review') || labelNames.has('approved'); const canReject = !labelNames.has('approved'); if (parsedCommand.command === 'approve' && !canApprove) { core.info('Ignoring /approve because the issue is not ready for review.'); return; } if (parsedCommand.command === 'reject' && !canReject) { core.info('Ignoring /reject because the issue is already approved.'); return; } core.setOutput('should-run', 'true'); core.setOutput('command', parsedCommand.command); core.setOutput('reason', parsedCommand.reason ?? ''); core.setOutput('validation-valid', evaluation.valid ? 'true' : 'false'); core.setOutput('validation-errors', JSON.stringify(evaluation.errors)); core.setOutput('plugin-name', fallbackName); core.setOutput('plugin-slug', approval.slugifyPluginName(fallbackName)); core.setOutput('source-repo', evaluation.plugin?.source?.repo ?? ''); - name: Comment blocked approval if: steps.parse.outputs.should-run == 'true' && steps.parse.outputs.command == 'approve' && steps.parse.outputs.validation-valid != 'true' uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 env: VALIDATION_ERRORS: ${{ steps.parse.outputs.validation-errors }} PLUGIN_NAME: ${{ steps.parse.outputs.plugin-name }} with: script: | const marker = ''; const errors = JSON.parse(process.env.VALIDATION_ERRORS || '[]'); const body = [ marker, '## ⚠️ External plugin approval blocked', '', `The current issue form for **${process.env.PLUGIN_NAME}** no longer passes automated intake validation, so \`/approve\` was not applied.`, '', '### Required fixes', '', ...(errors.length > 0 ? errors.map((error) => `- ${error}`) : ['- Edit the issue details and let intake rerun automatically, or comment `/rerun-intake` to trigger it again on demand.']) ].join('\n'); const { data: comments } = await github.rest.issues.listComments({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, per_page: 100 }); const existingComment = comments.find((comment) => comment.user?.login === 'github-actions[bot]' && comment.body?.includes(marker) ); if (existingComment) { await github.rest.issues.updateComment({ owner: context.repo.owner, repo: context.repo.repo, comment_id: existingComment.id, body }); } else { await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, body }); } - name: Install dependencies if: steps.parse.outputs.should-run == 'true' && steps.parse.outputs.command == 'approve' && steps.parse.outputs.validation-valid == 'true' run: npm ci - name: Update external plugin catalog and PR id: approval_pr if: steps.parse.outputs.should-run == 'true' && steps.parse.outputs.command == 'approve' && steps.parse.outputs.validation-valid == 'true' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | result=$(node ./eng/external-plugin-approval.mjs approve "$GITHUB_EVENT_PATH" --file ./plugins/external.json) { echo 'result<> "$GITHUB_OUTPUT" plugin_name=$(node -e "const data = JSON.parse(process.argv[1]); process.stdout.write(data.plugin.name);" "$result") action=$(node -e "const data = JSON.parse(process.argv[1]); process.stdout.write(data.action);" "$result") source_repo=$(node -e "const data = JSON.parse(process.argv[1]); process.stdout.write(data.plugin.source.repo);" "$result") plugin_slug='${{ steps.parse.outputs.plugin-slug }}' issue_number='${{ github.event.issue.number }}' branch="automation/external-plugin-approve-${issue_number}-${plugin_slug}" if [ "$action" = "inserted" ]; then title_action="Add" summary_action="add" else title_action="Update" summary_action="update" fi npm run build bash eng/fix-line-endings.sh pr_url="" pr_number="" if git diff --quiet; then pr_number=$(gh pr list --head "$branch" --base staged --json number --jq '.[0].number') if [ -n "$pr_number" ]; then pr_url=$(gh pr view "$pr_number" --json url --jq '.url') fi echo "changed=false" >> "$GITHUB_OUTPUT" echo "plugin-name=$plugin_name" >> "$GITHUB_OUTPUT" echo "action=$action" >> "$GITHUB_OUTPUT" echo "source-repo=$source_repo" >> "$GITHUB_OUTPUT" echo "pr-url=$pr_url" >> "$GITHUB_OUTPUT" echo "pr-number=$pr_number" >> "$GITHUB_OUTPUT" exit 0 fi git config user.name "github-actions[bot]" git config user.email "41898282+github-actions[bot]@users.noreply.github.com" git checkout -B "$branch" git add -A git commit -m "${title_action} external plugin ${plugin_name}" git push --force-with-lease origin "$branch" pr_number=$(gh pr list --head "$branch" --base staged --json number --jq '.[0].number') pr_body=$(cat <> "$GITHUB_OUTPUT" echo "plugin-name=$plugin_name" >> "$GITHUB_OUTPUT" echo "action=$action" >> "$GITHUB_OUTPUT" echo "source-repo=$source_repo" >> "$GITHUB_OUTPUT" echo "pr-url=$pr_url" >> "$GITHUB_OUTPUT" echo "pr-number=$pr_number" >> "$GITHUB_OUTPUT" - name: Finalize approval if: steps.parse.outputs.should-run == 'true' && steps.parse.outputs.command == 'approve' && steps.parse.outputs.validation-valid == 'true' uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 env: CHANGED: ${{ steps.approval_pr.outputs.changed }} ACTION: ${{ steps.approval_pr.outputs.action }} PLUGIN_NAME: ${{ steps.approval_pr.outputs.plugin-name }} SOURCE_REPO: ${{ steps.approval_pr.outputs.source-repo }} PR_URL: ${{ steps.approval_pr.outputs.pr-url }} PR_NUMBER: ${{ steps.approval_pr.outputs.pr-number }} with: script: | const managedLabels = { 'external-plugin': { color: 'FEF2C0', description: 'Public external plugin submission' }, 'awaiting-review': { color: 'FBCA04', description: 'Submission is waiting for automated intake validation' }, 'ready-for-review': { color: '0E8A16', description: 'Submission passed intake validation and is ready for maintainer review' }, 'approved': { color: '1D76DB', description: 'Submission was approved by a maintainer' }, 'rejected': { color: 'B60205', description: 'Submission was rejected or failed intake validation' } }; async function ensureLabel(name, config) { try { await github.rest.issues.createLabel({ owner: context.repo.owner, repo: context.repo.repo, name, color: config.color, description: config.description }); } catch (error) { if (error.status !== 422) { throw error; } } } async function removeLabel(issueNumber, name) { try { await github.rest.issues.removeLabel({ owner: context.repo.owner, repo: context.repo.repo, issue_number: issueNumber, name }); } catch (error) { if (error.status !== 404) { throw error; } } } async function syncIssueLabels(issueNumber, desiredLabels) { await Promise.all(Object.entries(managedLabels).map(([name, config]) => ensureLabel(name, config))); const currentLabels = await github.paginate(github.rest.issues.listLabelsOnIssue, { owner: context.repo.owner, repo: context.repo.repo, issue_number: issueNumber, per_page: 100 }); const currentManagedLabels = currentLabels .map((label) => label.name) .filter((name) => Object.prototype.hasOwnProperty.call(managedLabels, name)); const labelsToAdd = [...desiredLabels].filter((name) => !currentManagedLabels.includes(name)); const labelsToRemove = currentManagedLabels.filter((name) => !desiredLabels.has(name)); if (labelsToAdd.length > 0) { await github.rest.issues.addLabels({ owner: context.repo.owner, repo: context.repo.repo, issue_number: issueNumber, labels: labelsToAdd }); } for (const name of labelsToRemove) { await removeLabel(issueNumber, name); } } const issueNumber = context.issue.number; const prNumber = Number(process.env.PR_NUMBER || 0); const marker = ''; const action = process.env.ACTION === 'updated' ? 'updated' : 'added'; const prUrl = process.env.PR_URL; const body = [ marker, '## ✅ External plugin approved', '', `A maintainer approved **${process.env.PLUGIN_NAME}**, and the submission issue has been closed.`, '', `- **Catalog action:** ${action}`, `- **Source repository:** \`${process.env.SOURCE_REPO}\``, prUrl ? `- **PR against \`staged\`:** ${prUrl}` : '- **PR against `staged`:** No new PR was needed because the approved listing is already present.' ].join('\n'); await syncIssueLabels(issueNumber, new Set(['external-plugin', 'approved'])); if (prNumber > 0) { await github.rest.issues.addLabels({ owner: context.repo.owner, repo: context.repo.repo, issue_number: prNumber, labels: ['external-plugin', 'awaiting-review'] }); } const { data: comments } = await github.rest.issues.listComments({ owner: context.repo.owner, repo: context.repo.repo, issue_number: issueNumber, per_page: 100 }); const existingComment = comments.find((comment) => comment.user?.login === 'github-actions[bot]' && comment.body?.includes(marker) ); if (existingComment) { await github.rest.issues.updateComment({ owner: context.repo.owner, repo: context.repo.repo, comment_id: existingComment.id, body }); } else { await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: issueNumber, body }); } if (context.payload.issue.state !== 'closed') { await github.rest.issues.update({ owner: context.repo.owner, repo: context.repo.repo, issue_number: issueNumber, state: 'closed' }); } - name: Finalize rejection if: steps.parse.outputs.should-run == 'true' && steps.parse.outputs.command == 'reject' uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0 env: REASON: ${{ steps.parse.outputs.reason }} PLUGIN_NAME: ${{ steps.parse.outputs.plugin-name }} with: script: | const managedLabels = { 'external-plugin': { color: 'FEF2C0', description: 'Public external plugin submission' }, 'awaiting-review': { color: 'FBCA04', description: 'Submission is waiting for automated intake validation' }, 'ready-for-review': { color: '0E8A16', description: 'Submission passed intake validation and is ready for maintainer review' }, 'approved': { color: '1D76DB', description: 'Submission was approved by a maintainer' }, 'rejected': { color: 'B60205', description: 'Submission was rejected or failed intake validation' } }; async function ensureLabel(name, config) { try { await github.rest.issues.createLabel({ owner: context.repo.owner, repo: context.repo.repo, name, color: config.color, description: config.description }); } catch (error) { if (error.status !== 422) { throw error; } } } async function removeLabel(name) { try { await github.rest.issues.removeLabel({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, name }); } catch (error) { if (error.status !== 404) { throw error; } } } await Promise.all(Object.entries(managedLabels).map(([name, config]) => ensureLabel(name, config))); await github.rest.issues.addLabels({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, labels: ['external-plugin', 'rejected'] }); await removeLabel('awaiting-review'); await removeLabel('ready-for-review'); await removeLabel('approved'); const marker = ''; const reason = process.env.REASON || 'No additional reason was provided.'; const body = [ marker, '## ❌ External plugin rejected', '', `A maintainer rejected **${process.env.PLUGIN_NAME}**, and the submission issue has been closed.`, '', '### Reason', '', reason, '', 'If you address the feedback, edit this issue with the updated details and have the issue author or a maintainer comment `/rerun-intake` to re-run automated intake.' ].join('\n'); const { data: comments } = await github.rest.issues.listComments({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, per_page: 100 }); const existingComment = comments.find((comment) => comment.user?.login === 'github-actions[bot]' && comment.body?.includes(marker) ); if (existingComment) { await github.rest.issues.updateComment({ owner: context.repo.owner, repo: context.repo.repo, comment_id: existingComment.id, body }); } else { await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, body }); } if (context.payload.issue.state !== 'closed') { await github.rest.issues.update({ owner: context.repo.owner, repo: context.repo.repo, issue_number: context.issue.number, state: 'closed' }); }