Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions .github/workflows/auto-approve.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Auto-Approve Clean PRs

on:
workflow_run:
workflows: [".github/workflows/base.yml", "PyDeequ Bot"]
workflows: [".github/workflows/base.yml", "Shadow"]
types: [completed]

permissions:
Expand Down Expand Up @@ -55,6 +55,21 @@ jobs:
return;
}

// Condition 0: never auto-approve a PR that changes the bot's own
// guardrails (workflows or engine config) — that lets a PR weaken
// the approval gate and be approved by the very gate it edits.
// Require a human for these.
const files = await github.paginate(github.rest.pulls.listFiles, {
owner, repo, pull_number: prNumber, per_page: 100
});
const guarded = files.find(f =>
f.filename.startsWith('.github/') || f.filename === '.shadow.yml'
);
if (guarded) {
core.info(`PR touches guarded path ${guarded.filename} — requires human review, skipping`);
return;
}

// Condition 1: CI must have passed for this SHA
const {data: workflowRuns} = await github.rest.actions.listWorkflowRunsForRepo({
owner, repo, head_sha: sha, status: 'completed'
Expand All @@ -72,7 +87,7 @@ jobs:
owner, repo, pull_number: prNumber
});

const CLEAN_MARKER = '<!-- deequ-bot:clean -->';
const CLEAN_MARKER = '<!-- shadow:clean -->';

const latestBot = reviews
.filter(r => r.user.login === 'github-actions[bot]')
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/issue-bot.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: PyDeequ Bot # load-bearing: auto-approve.yml keys on this exact name
name: Shadow # load-bearing: auto-approve.yml keys on this exact name
# To upgrade the engine, bump the SHA in BOTH `uses:` and `shadow_ref` below
# (GitHub forbids expressions in `uses:`, so they can't share a variable).

Expand Down Expand Up @@ -54,6 +54,7 @@ jobs:
KB_S3_BUCKET: ${{ secrets.KB_S3_BUCKET }}
KB_S3_KEY: ${{ secrets.KB_S3_KEY }}
BEDROCK_MODEL_ID: ${{ secrets.BEDROCK_MODEL_ID }}
# Repo variables (not secrets); empty falls back to engine defaults.
BEDROCK_REPORTER_MODEL_ID: ${{ vars.BEDROCK_REPORTER_MODEL_ID }}
BEDROCK_CRITIC_MODEL_ID: ${{ vars.BEDROCK_CRITIC_MODEL_ID }}
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
2 changes: 1 addition & 1 deletion .shadow.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ codebase:
language: python

bot:
name: deequ-bot # not pydeequ-bot: must render the <!-- deequ-bot:clean --> marker auto-approve.yml greps for
name: shadow # renders the <!-- shadow:clean --> marker auto-approve.yml greps for
attribution: "Reviewed by Shadow · github.com/sudsali/shadow"
escalate_label: needs-human
max_replies: 2
Expand Down
Loading