Skip to content

Github Action to check PR approvals and codeowners

Notifications You must be signed in to change notification settings

skymoore/required-approvals

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

75 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Required Approvals GitHub Action

Checks if the required codeowners have approved a PR and requires a minimum number of approvals

Inputs:

  • token
    • required
    • The PR token, accessible at secrets.GITHUB_TOKEN.
  • read_org_scoped_token
    • required
    • A Personal Access Token (PAT) that has the read:org scope for the organization org_name.
  • org_name
    • required
    • The github organization to search for teams and team members.
  • min_approvals
    • required
    • The minimum number of approvals, regardless of codeowners team membership.
  • pr_number
    • optional
    • Pull request number, mutually exclusive with branch, will check approvals on this PR if supplied. If not supplied, will check approvals on the PR that triggered the workflow. If both pr_number and branch are supplied it will default to the latest pr on the branch, and check approvals on that PR.
  • branch
    • optional
    • Branch name, mutually exclusive with pr_number, will look for prs from this branch if supplied, select the newest one if there are multiple, and check approvals on that PR. If not supplied, will check approvals on the PR that triggered the workflow. If both pr_number and branch are supplied it will default to the latest pr on the branch.
  • require_all_approvals_latest_commit
    • optional
    • default: true
    • Require all approvals to be on the latest commit of the PR, ignore approvals on previous commits.
  • limit_org_teams_to_codeowners_file
    • optional
    • default: false
    • Enable to limit a user's team membership check to only those specified in the CODEOWNERS file. This overrides the default behavior of checking all teams in the organization org_name. Consider enabling for environments with a large number of teams to reduce execution time.
  • approval_mode
    • optional
    • default: ALL
    • Determines the approval requirement for codeowners. If set to "ALL", all codeowners must approve. If set to "ANY", at least one approval from a codeowner is sufficient. If not provided, the default is "ALL".

Outputs:

  • approved
    • true if all required approvals are met, false otherwise

How to use this GitHub Action:

  1. Ensure your repo has a codeowners file at /.github/CODEOWNERS or /CODEOWNERS example CODEOWNERS:
    .github/** @YourOrg/some_team_name
    some_dir/** @YourOrg/some_other_team_name
    
  2. Create a PAT that has the read:org scope enabled for your organization, and add it as a secret to your organization, repo, or environment.
  3. Create a workflow that uses the action: example workflow:
    name: PR Approval Workflow
    
    on:
      pull_request:
        branches:
          - main
      pull_request_review:
        types: [submitted]
    
    jobs:
      check-approvals:
        runs-on: ubuntu-latest
        permissions:
          id-token: write
          contents: read
          pull-requests: read
        steps:
          - name: Check for required approvals
            id: check-approvals
            uses: skymoore/required-approvals@main
            with:
              token: ${{ secrets.GITHUB_TOKEN }}
              read_org_scoped_token: ${{ secrets.READ_ORG_SCOPED_TOKEN }}
              org_name: yourorg
              min_approvals: 1
    
          - name: Run action if all required approvals are met
            if: ${{ steps.check-approvals.outputs.approved == 'true' }}
            run: |
              echo "All required approvals are met. Running the action."