workflow

.github/CODEOWNERS

@@ -34,6 +34,9 @@
 
 /.github/CODEOWNERS                            @microsoft/fluid-cr-api
 
+# Changes to this workflow require approval from the Release Approvers team
+/.github/workflows/required-reviewers-release.yml @microsoft/FluidFramework-ReleaseApprovers
+
 # ID compressor source
 /packages/runtime/id-compressor/src            @microsoft/fluid-cr-id-compressor
 

.github/workflows/required-reviewers-release.yml

@@ -20,34 +20,48 @@ jobs:
   warning:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # ratchet:actions/checkout@v4
+      # release notes: https://github.com/actions/checkout/releases/tag/v4.1.7
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # ratchet:actions/checkout@v4
         with:
           persist-credentials: false
           submodules: false
 
-      - name: Check if PR is approved by a hardcoded list of approvers
+      # install and configure node, pnpm and the changeset tools
+      # release notes: https://github.com/pnpm/action-setup/releases/tag/v4.0.0
+      - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # ratchet:pnpm/action-setup@v4
+
+      # release notes: https://github.com/actions/setup-node/releases/tag/v4.0.3
+      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # ratchet:actions/setup-node@v3
+        with:
+          node-version-file: .nvmrc
+          cache: "pnpm"
+          cache-dependency-path: pnpm-lock.yaml
+
+      - name: Install Fluid build tools
+        continue-on-error: true
+        run: |
+          cd build-tools
+          pnpm install --frozen-lockfile
+          pnpm run build:compile
+          # We want flub available to call, so we run npm link in the build-cli package, which creates shims that are avilable on the PATH
+          # Use npm link instead of pnpm link because it handles bins better
+          cd packages/build-cli
+          npm link
+
+      - name: Check build-tools installation
+        run: |
+          # Info for debugging
+          which flub
+          flub --help
+          flub commands
+
+      - name: Check PR approval
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          PR_NUMBER=$(echo ${{ github.event.pull_request.number }})
-          REPO=${{ github.repository }}
-          HARDCODED_APPROVERS=("approver1" "approver2" "approver3") # Replace with actual GitHub usernames
-
-          # Get the list of reviews for the PR
-          REVIEWS=$(gh pr view ${{ github.event.pull_request.number }} reviews --json --jq '.reviews[] | select(.state == "APPROVED") | .user.login')
-
-          # Check if any review is approved by a hardcoded approver
-          APPROVED_BY_HARDCODED_APPROVER=false
-          for REVIEWER in $REVIEWS; do
-            if [[ " ${HARDCODED_APPROVERS[@]} " =~ " ${REVIEWER} " ]]; then
-              APPROVED_BY_HARDCODED_APPROVER=true
-              break
-            fi
-          done
-
-          if [ "$APPROVED_BY_HARDCODED_APPROVER" = false ]; then
-            echo "The PR has not been approved by a hardcoded approver."
-            exit 1
-          else
-            echo "The PR has been approved by a hardcoded approver."
-          fi
+          # This command will fail with an error if the PR is not approved, which
+          # will cause
+          flub check prApproval \
+            --pr ${{ github.event.pull_request.number }} \
+            --repo ${{ github.repository }} \
+            --team FluidFramework-ReleaseApprovers

build-tools/packages/build-cli/src/commands/check/prApproval.ts

@@ -5,7 +5,7 @@
 
 import { Flags } from "@oclif/core";
 
-import { githubTokenFlag } from "../../flags.js";
+import { githubActionsFlag, githubTokenFlag } from "../../flags.js";
 
 import {
 	type GitHubProps,
@@ -63,6 +63,7 @@ export default class CheckPrApprovalCommand extends BaseCommand<
 		token: githubTokenFlag({
 			required: true,
 		}),
+		ghActions: githubActionsFlag,
 		...BaseCommand.flags,
 	} as const;
 
@@ -78,16 +79,26 @@ export default class CheckPrApprovalCommand extends BaseCommand<
 		const isApproved =
 			approvers === undefined
 				? teamName === undefined
-					? false
+					? // this case shouldn't happen since oclif should guarantee one of
+						// approvers or teamName is provided
+						false
 					: await isPrApprovedByTeam(props, pr, teamName)
 				: await isPrApprovedByUsers(props, pr, new Set(approvers));
 
+		// When outputting JSON, just return the raw value. Otherwise throw an error if the PR is not approved.
 		if (this.flags.json === true) {
 			return isApproved;
 		}
 
 		if (!isApproved) {
-			this.error(`PR ${pr} is not approved by any member of ${teamName}.`, { exit: 1 });
+			const message = `PR ${pr} is not approved by any member of ${teamName}.`;
+			if (this.flags.ghActions) {
+				this.log(`::error ::${message}`);
+			}
+			this.error(
+				`${message} Check the review details at https://github.com/${owner}/${repo}/pull/${pr}`,
+				{ exit: 1 },
+			);
 		}
 
 		return isApproved;

build-tools/packages/build-cli/src/flags.ts

@@ -375,3 +375,13 @@ export const githubTokenFlag = Flags.custom({
 		"GitHub access token. This parameter should be passed using the GITHUB_TOKEN environment variable for security purposes.",
 	env: "GITHUB_TOKEN",
 });
+
+/**
+ * A reusable flag to indicate the command is running in the GitHub Actions environment. This value is typically parsed
+ * from the GITHUB_ACTIONS environment variable but can be set manually for testing.
+ */
+export const githubActionsFlag = Flags.boolean({
+	description:
+		"Set to true to output logs in a GitHub Actions-compatible format. This value will be set to true automatically when running in GitHub Actions.",
+	env: "GITHUB_ACTIONS",
+});