Approve all workflow runs for a specific contributor PR (#3876)

### What This PR adds the ability to approve workflow runs on forks on any current and subsequent changes automatically. This is a step above the "don't approve any workflow runs on forks automatically" that we have set up right now. The approval is triggered by commenting on a PR issue (`issue_comment`), or the usual PR activity (`pull_request_target`). It then looks through all comments on the PR, searching for the substring `@rerun-bot approve`. If it finds at least one, then it checks if the user that sent that comment is any of: - A repository owner - A member of the repository's organization - A repository collaborator If that is the case, then it approves all workflow runs on that pull request. PRs cannot modify this workflow or the script it uses to change how it works. The changes must first be merged into the default branch before having any effect, so this is safe for contributor PRs. ### Checklist * [x] I have read and agree to [Contributor Guide](https://github.com/rerun-io/rerun/blob/main/CONTRIBUTING.md) and the [Code of Conduct](https://github.com/rerun-io/rerun/blob/main/CODE_OF_CONDUCT.md) * [x] I've included a screenshot or gif (if applicable) * [x] I have tested [demo.rerun.io](https://demo.rerun.io/pr/3876) (if applicable) * [x] The PR title and labels are set such as to maximize their usefulness for the next release's CHANGELOG - [PR Build Summary](https://build.rerun.io/pr/3876) - [Docs preview](https://rerun.io/preview/5b5366f30d2c75c24fc85a437fb6c976807beb57/docs)  - [Examples preview](https://rerun.io/preview/5b5366f30d2c75c24fc85a437fb6c976807beb57/examples)  - [Recent benchmark results](https://ref.rerun.io/dev/bench/) - [Wasm size tracking](https://ref.rerun.io/dev/sizes/)
rerun-io · Oct 17, 2023 · 1e4d053 · 1e4d053
1 parent 3c912be
commit 1e4d053
Show file tree

Hide file tree

Showing 2 changed files with 108 additions and 0 deletions.
diff --git a/.github/workflows/auto_approve.yml b/.github/workflows/auto_approve.yml
@@ -0,0 +1,38 @@
+name: "Approve Workflow Runs"
+
+on:
+  pull_request_target:
+  issue_comment:
+    types: [created, edited]
+
+permissions:
+  actions: "write"
+
+jobs:
+  approve-workflow-runs:
+    name: "Check for approval"
+    runs-on: ubuntu-latest
+    if: ${{ github.event_name == 'pull_request' || github.event.issue.pull_request }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Python
+        uses: actions/setup-python@v4
+
+      - name: Install dependencies
+        run: |
+          pip install PyGithub==1.59.0 requests>=2.31,<3
+
+      - name: Wait a few seconds
+        run: |
+          # Give GitHub a bit of time to synchronize everything
+          sleep 10s
+
+      - name: Approve workflow runs
+        run: |
+          python3 scripts/ci/approve_workflow_runs.py \
+            --github-token "${{ secrets.GITHUB_TOKEN }}" \
+            --github-repository "rerun-io/rerun"
+            --pr-number "${{ github.event.pull_request.number || github.event.issue.number }}"
+
diff --git a/scripts/ci/approve_workflow_runs.py b/scripts/ci/approve_workflow_runs.py
@@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+
+"""
+Script to auto-approve workflow runs if certain criteria are met.
+
+Checks for a `@rerun-bot approve` comment made by an official Rerun team member,
+and approves any workflow runs with pending approval.
+
+This is expected to be run by the `auto_approve.yml` GitHub workflow.
+
+Requires the following packages:
+  pip install PyGithub==1.59.0 requests>=2.31,<3
+"""
+from __future__ import annotations
+
+import argparse
+
+import requests
+from github import Github
+from github.WorkflowRun import WorkflowRun
+
+APPROVAL = "@rerun-bot approve"
+
+
+def approve(github_token: str, workflow_run: WorkflowRun) -> None:
+    print(f"approving {workflow_run.id}")
+    requests.post(
+        f"https://api.github.com/repos/rerun-io/rerun/actions/runs/{workflow_run.id}/approve",
+        headers={
+            "Accept": "application/vnd.github+json",
+            "Authorization": f"Bearer {github_token}",
+            "X-GitHub-Api-Version": "2022-11-28",
+        },
+    ).raise_for_status()
+
+
+def main() -> None:
+    parser = argparse.ArgumentParser(description="Generate a PR summary page")
+    parser.add_argument("--github-token", required=True, help="GitHub token")
+    parser.add_argument("--github-repository", required=True, help="GitHub repository")
+    parser.add_argument("--pr-number", required=True, type=int, help="PR number")
+    args = parser.parse_args()
+
+    gh = Github(args.github_token)
+    repo = gh.get_repo(args.github_repository)
+    pr = repo.get_pull(args.pr_number)
+
+    for comment in pr.get_issue_comments():
+        if APPROVAL not in comment.body:
+            continue
+
+        can_user_approve_workflows = (
+            repo.owner.login == comment.user.login
+            or repo.organization.has_in_members(comment.user)
+            or repo.has_in_collaborators(comment.user)
+        )
+        if not can_user_approve_workflows:
+            continue
+
+        print(f"found valid approval by {comment.user.login}")
+        for workflow_run in repo.get_workflow_runs(branch=pr.head.ref):
+            if workflow_run.status == "action_required" or workflow_run.conclusion == "action_required":
+                approve(args.github_token, workflow_run)
+
+        # We only need one approval
+        return
+
+
+if __name__ == "__main__":
+    main()