add add_catalog_integration call even if we have a pre-existing manifest #2497
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # **what?** | |
| # Enforces 2 reviews when artifact or validation files are modified. | |
| # **why?** | |
| # Ensure artifact changes receive proper review from designated team members. GitHub doesn't support | |
| # multiple reviews on a single PR based on files changed, so we need to enforce this manually. | |
| # **when?** | |
| # This will run when reviews are submitted and dismissed. | |
| name: "Enforce Additional Reviews on Artifact and Validations Changes" | |
| permissions: | |
| checks: write | |
| pull-requests: write | |
| contents: read | |
| on: | |
| # trigger check on review events. use pull_request_target for forks. | |
| pull_request_target: | |
| types: [opened, reopened, ready_for_review, synchronize, review_requested] | |
| pull_request_review: | |
| types: [submitted, edited, dismissed] | |
| # only run this once per PR at a time | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| env: | |
| required_approvals: 2 | |
| team: "core-group" | |
| jobs: | |
| check-reviews: | |
| name: "Validate Additional Reviews" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: "Get list of changed files" | |
| id: changed_files | |
| run: | | |
| # Fetch files as JSON and process with jq to sanitize output | |
| gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files \ | |
| | jq -r '.[].filename' \ | |
| | while IFS= read -r file; do | |
| # Sanitize the filename by removing any special characters and command injection attempts | |
| clean_file=$(echo "$file" | sed 's/[^a-zA-Z0-9\.\/\-_]//g') | |
| echo "$clean_file" | |
| done > changed_files.txt | |
| echo "CHANGED_FILES<<EOF" >> $GITHUB_OUTPUT | |
| cat changed_files.txt >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: "Check if any artifact files changed" | |
| id: artifact_files_changed | |
| run: | | |
| artifact_changes=false | |
| while IFS= read -r file; do | |
| # Only process if file path looks legitimate | |
| if [[ "$file" =~ ^[a-zA-Z0-9\.\/\-_]+$ ]]; then | |
| if [[ "$file" == "core/dbt/artifacts/"* ]] ; then | |
| artifact_changes=true | |
| break | |
| fi | |
| fi | |
| done < changed_files.txt | |
| echo "artifact_changes=$artifact_changes" >> $GITHUB_OUTPUT | |
| - name: "Get Core Team Members" | |
| if: steps.artifact_files_changed.outputs.artifact_changes == 'true' | |
| id: core_members | |
| run: | | |
| gh api -H "Accept: application/vnd.github+json" \ | |
| /orgs/dbt-labs/teams/${{ env.team }}/members > core_members.json | |
| # Extract usernames and set as multiline output | |
| echo "membership<<EOF" >> $GITHUB_OUTPUT | |
| jq -r '.[].login' core_members.json >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| env: | |
| GH_TOKEN: ${{ secrets.IT_TEAM_MEMBERSHIP }} | |
| - name: "Verify ${{ env.required_approvals }} core team approvals" | |
| if: steps.artifact_files_changed.outputs.artifact_changes == 'true' | |
| id: check_approvals | |
| run: | | |
| # Get all reviews | |
| REVIEWS=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews) | |
| echo "All reviews:" | |
| echo "$REVIEWS" | |
| # Count approved reviews from core team members (only most recent review per user) | |
| CORE_APPROVALS=0 | |
| while IFS= read -r member; do | |
| echo "Checking member: $member" | |
| APPROVED=$(echo "$REVIEWS" | jq --arg user "$member" ' | |
| group_by(.user.login) | | |
| map(select(.[0].user.login == $user) | | |
| sort_by(.submitted_at) | | |
| last) | | |
| map(select(.state == "APPROVED" and (.state != "DISMISSED"))) | | |
| length') | |
| echo "Latest review state for $member: $APPROVED" | |
| CORE_APPROVALS=$((CORE_APPROVALS + APPROVED)) | |
| echo "Running total: $CORE_APPROVALS" | |
| done <<< "${{ steps.core_members.outputs.membership }}" | |
| echo "CORE_APPROVALS=$CORE_APPROVALS" >> $GITHUB_OUTPUT | |
| echo "CORE_APPROVALS=$CORE_APPROVALS" | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: "Find Comment" | |
| if: steps.artifact_files_changed.outputs.artifact_changes == 'true' && steps.check_approvals.outputs.CORE_APPROVALS < env.required_approvals | |
| uses: peter-evans/find-comment@v2 | |
| id: find-comment | |
| with: | |
| issue-number: ${{ github.event.pull_request.number }} | |
| comment-author: 'github-actions[bot]' | |
| body-includes: "### Additional Artifact Review Required" | |
| - name: "Create Comment" | |
| if: steps.artifact_files_changed.outputs.artifact_changes == 'true' && steps.find-comment.outputs.comment-id == '' && steps.check_approvals.outputs.CORE_APPROVALS < env.required_approvals | |
| uses: peter-evans/create-or-update-comment@v3 | |
| with: | |
| issue-number: ${{ github.event.pull_request.number }} | |
| body: | | |
| ### Additional Artifact Review Required | |
| Changes to artifact directory files requires at least ${{ env.required_approvals }} approvals from core team members. | |
| - name: "Notify if not enough approvals" | |
| if: steps.artifact_files_changed.outputs.artifact_changes == 'true' | |
| run: | | |
| if [[ "${{ steps.check_approvals.outputs.CORE_APPROVALS }}" -ge "${{ env.required_approvals }}" ]]; then | |
| title="Extra requirements met" | |
| message="Changes to artifact directory files requires at least ${{ env.required_approvals }} approvals from core team members. Current number of core team approvals: ${{ steps.check_approvals.outputs.CORE_APPROVALS }} " | |
| echo "::notice title=$title::$message" | |
| echo "REVIEW_STATUS=success" >> $GITHUB_OUTPUT | |
| else | |
| title="PR Approval Requirements Not Met" | |
| message="Changes to artifact directory files requires at least ${{ env.required_approvals }} approvals from core team members. Current number of core team approvals: ${{ steps.check_approvals.outputs.CORE_APPROVALS }} " | |
| echo "::notice title=$title::$message" | |
| echo "REVIEW_STATUS=neutral" >> $GITHUB_OUTPUT | |
| fi | |
| id: review_check | |
| - name: "Set check status" | |
| id: status_check | |
| run: | | |
| if [[ "${{ steps.artifact_files_changed.outputs.artifact_changes }}" == 'false' ]]; then | |
| # no extra review required | |
| echo "current_status=success" >> $GITHUB_OUTPUT | |
| elif [[ "${{ steps.review_check.outputs.REVIEW_STATUS }}" == "success" ]]; then | |
| # we have all the required reviews | |
| echo "current_status=success" >> $GITHUB_OUTPUT | |
| else | |
| # neutral exit - neither success nor failure | |
| # we can't fail here because we use multiple triggers for this workflow and they won't reset the check | |
| # workaround is to use a neutral exit to skip the check run until it's actually successful | |
| echo "current_status=neutral" >> $GITHUB_OUTPUT | |
| fi | |
| - name: "Post Event" | |
| # This step posts the status of the check because the workflow is triggered by multiple events | |
| # and we need to ensure the check is always updated. Otherwise we would end up with duplicate | |
| # checks in the GitHub UI. | |
| run: | | |
| if [[ "${{ steps.status_check.outputs.current_status }}" == "success" ]]; then | |
| state="success" | |
| else | |
| state="failure" | |
| fi | |
| gh api \ | |
| --method POST \ | |
| -H "Accept: application/vnd.github+json" \ | |
| /repos/${{ github.repository }}/statuses/${{ github.event.pull_request.base.sha }} \ | |
| -f state="$state" \ | |
| -f description="Artifact Review Check" \ | |
| -f context="Artifact Review Check" \ | |
| -f target_url="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
| env: | |
| GH_TOKEN: ${{ secrets.FISHTOWN_BOT_PAT }} |