[WIP] Securing EVE Logs #3209
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Request Code Owners Review | |
on: | |
pull_request_target: | |
types: ["opened", "synchronize"] | |
paths-ignore: | |
- '.github/workflows/request_codeowners_review.yml' | |
jobs: | |
auto_request_review: | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.base_ref }} | |
fetch-depth: 0 | |
- name: Fetch the PR's head ref | |
run: | | |
git fetch origin ${{ github.event.pull_request.head.sha }}:${{ github.event.pull_request.head.ref }} | |
git checkout ${{ github.event.pull_request.head.ref }} | |
- name: Auto request review | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
reviewers="" | |
# Get changed files in this pull request | |
echo "Checking base: ${{ github.event.pull_request.base.sha }}" | |
echo "Checking head: ${{ github.event.pull_request.head.sha }}" | |
for changed_file in $(git diff --name-only ${{ github.event.pull_request.base.sha }}...HEAD); do | |
echo "Checking $changed_file" | |
while read -r line; do | |
# Get pattern of the files owned | |
pattern=$(echo "$line" | awk '{print $1}') | |
# Remove leading / from pattern and changed_file for comparison | |
pattern="${pattern#/}" | |
# Get owners of the files owned | |
owners=$(echo "$line" | awk '{$1=""; print $0}' | xargs) | |
# Remove leading / from changed_file for comparison | |
changed_file="${changed_file#/}" | |
if [[ "$changed_file" == $pattern* ]]; then | |
# Add owners to reviewers | |
echo "Found owners for $changed_file: $owners" | |
reviewers="$reviewers $owners" | |
fi | |
done < .github/CODEOWNERS | |
done | |
# Remove duplicates and format for JSON | |
reviewers=$(echo "$reviewers" | xargs -n1 | sort -u | xargs) | |
# Remove @ from reviewers (it stays in the beginning of the username) | |
reviewers_cleaned=${reviewers//@/} | |
IFS=' ' read -ra reviewers_array <<< "$reviewers_cleaned" | |
# Get username of PR author to exclude from reviewers | |
pr_author="${{ github.event.pull_request.user.login }}" | |
# Remove PR author from reviewers | |
filtered_reviewers=() | |
for reviewer in ${reviewers_array[@]}; do | |
if [[ "$reviewer" != "$pr_author" ]]; then | |
filtered_reviewers+=("$reviewer") | |
fi | |
done | |
if [ ${#filtered_reviewers[@]} -gt 0 ]; then | |
json_array=$(printf ',\"%s\"' "${filtered_reviewers[@]}") | |
json_array="[${json_array:1}]" # Remove the leading comma | |
echo "JSON array: $json_array" | |
echo "Requesting review from: ${filtered_reviewers[*]}" | |
echo https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/requested_reviewers | |
curl -L \ | |
-D - \ | |
-X POST \ | |
-H "Authorization: Bearer $GITHUB_TOKEN" \ | |
-H "Accept: application/vnd.github+json" \ | |
https://api.github.com/repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/requested_reviewers \ | |
-d "{\"reviewers\": $json_array}" | |
else | |
echo "No reviewers found for the changed files." | |
fi |