-
Notifications
You must be signed in to change notification settings - Fork 1.7k
27 lines (27 loc) · 1.24 KB
/
security-label-check.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
name: Security Label Check
on:
pull_request:
types: [opened, edited, labeled, synchronize, unlabeled]
jobs:
security-check:
runs-on: ubuntu-latest
if: github.repository == 'demisto/content' && github.event.pull_request.head.repo.fork == true && contains(github.head_ref, 'xsoar-bot-contrib-ContributionTestPack') == false
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Check if PR base branch starts with "contrib" and labels are correct
id: security_check
run: |
BASE_BRANCH=$(jq --raw-output .pull_request.base.ref "$GITHUB_EVENT_PATH")
LABELS=$(jq --raw-output '.pull_request.labels | map(.name) | join(",")' "$GITHUB_EVENT_PATH")
if [[ "$LABELS" == *"Security Review"* ]]; then
echo "Security Review label present. Checking if Security Approved label is added..."
if [[ "$LABELS" != *"Security Approved"* ]]; then
echo "Security Approved label is missing. The PR still requires a review from the security team."
exit 1
else
echo "Security Approved label is present."
fi
else
echo "Security Review label is not added. Security review is not required."
fi