From dd5dbf390271976f3b61ed6a3af70795e7696e71 Mon Sep 17 00:00:00 2001
From: Javier Bullrich <javier@bullrich.dev>
Date: Tue, 16 Apr 2024 12:10:12 +0200
Subject: [PATCH] added check to ensure there are approvals (#4152)

Follow up to #3431

Added an api check to verify that there are pre-existing approvals in
the PR before dismissing reviews and posting a message
---
 .github/workflows/review-trigger.yml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/review-trigger.yml b/.github/workflows/review-trigger.yml
index 061cf4ab09ed..007797d2f4b7 100644
--- a/.github/workflows/review-trigger.yml
+++ b/.github/workflows/review-trigger.yml
@@ -21,25 +21,29 @@ jobs:
       - name: Skip merge queue
         if: ${{ contains(github.ref, 'gh-readonly-queue') }}
         run: exit 0
-      - name: Get comments
+      - name: Get PR data
         id: comments
-        run: echo "bodies=$(gh pr view ${{ github.event.number }} --repo ${{ github.repository }} --json comments --jq '[.comments[].body]')" >> "$GITHUB_OUTPUT"
+        run: |
+          echo "bodies=$(gh pr view ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --json comments --jq '[.comments[].body]')" >> "$GITHUB_OUTPUT"
+          echo "reviews=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews --jq '[.[].state]')" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: ${{ github.token }}
       - name: Fail when author pushes new code
         # Require new reviews when the author is pushing and he is not a member
         if: |
+          contains(fromJson(steps.comments.outputs.reviews), 'APPROVED') &&
           github.event_name == 'pull_request_target' &&
           github.event.action == 'synchronize' && 
           github.event.sender.login == github.event.pull_request.user.login && 
           github.event.pull_request.author_association != 'MEMBER'
         run: |
+          echo "User's association is ${{ github.event.pull_request.author_association }}"
           # We get the list of reviewers who approved the PR
-          REVIEWERS=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.number }}/reviews \
+          REVIEWERS=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews \
           --jq '{reviewers: [.[] | select(.state == "APPROVED") | .user.login]}')
 
           # We request them to review again
-          echo $REVIEWERS | gh api --method POST repos/${{ github.repository }}/pulls/${{ github.event.number }}/requested_reviewers --input -
+          echo $REVIEWERS | gh api --method POST repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/requested_reviewers --input -
           
           echo "::error::Project needs to be reviewed again"
           exit 1
@@ -49,7 +53,7 @@ jobs:
         # If the previous step failed and github-actions hasn't commented yet we comment instructions
         if: failure() && !contains(fromJson(steps.comments.outputs.bodies), 'Review required! Latest push from author must always be reviewed')
         run: |          
-          gh pr comment ${{ github.event.number }} --repo ${{ github.repository }} --body "Review required! Latest push from author must always be reviewed"
+          gh pr comment ${{ github.event.pull_request.number }} --repo ${{ github.repository }} --body "Review required! Latest push from author must always be reviewed"
         env:
           GH_TOKEN: ${{ github.token }}
           COMMENTS: ${{ steps.comments.outputs.users }}