ci: fix script injection, unique approvals, scope PR closing per-package

theomonnom · theomonnom · commit c178bb3f6e6f · 2026-04-08T13:10:45.000-07:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -59,13 +59,15 @@ jobs:
           submodules: true
 
       - name: Guard non-main branches
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
+          INPUT_BRANCH: ${{ inputs.branch }}
         run: |
-          key=$(echo "${{ inputs.version }}" | awk '{print $1}')
-          branch="${{ inputs.branch }}"
-          if [ "$branch" != "main" ]; then
+          key=$(echo "$INPUT_VERSION" | awk '{print $1}')
+          if [ "$INPUT_BRANCH" != "main" ]; then
             case "$key" in
               *-rc|next-rc) ;; # allowed
-              *) echo "::error::Only RC releases are allowed from non-main branches (got '$key' on '$branch')"; exit 1 ;;
+              *) echo "::error::Only RC releases are allowed from non-main branches (got '$key' on '$INPUT_BRANCH')"; exit 1 ;;
             esac
           fi
 
@@ -78,9 +80,12 @@ jobs:
         run: pip install click packaging
 
       - name: Bump version
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
+          INPUT_PACKAGE: ${{ inputs.package }}
         run: |
-          key=$(echo "${{ inputs.version }}" | awk '{print $1}')
-          pkg="${{ inputs.package }}"
+          key=$(echo "$INPUT_VERSION" | awk '{print $1}')
+          pkg="$INPUT_PACKAGE"
 
           case "$key" in
             patch|minor|major)
@@ -101,12 +106,14 @@ jobs:
 
       - name: Read new version
         id: version
+        env:
+          INPUT_PACKAGE: ${{ inputs.package }}
         run: |
-          pkg="${{ inputs.package }}"
+          pkg="$INPUT_PACKAGE"
           version_file=$(echo '${{ env.VERSION_FILE_MAP }}' | jq -r --arg pkg "$pkg" '.[$pkg]')
           version=$(python -c "
           import re, pathlib
-          m = re.search(r'__version__\s*=\s*[\"'\''](.*?)[\"'\'']', pathlib.Path('$version_file').read_text())
+          m = re.search(r'__version__\s*=\s*[\"'\''](.*?)[\"'\'']', pathlib.Path('${version_file}').read_text())
           print(m.group(1))
           ")
           tag_prefix=$(echo '${{ env.TAG_PREFIX_MAP }}' | jq -r --arg pkg "$pkg" '.[$pkg]')
@@ -117,8 +124,9 @@ jobs:
       - name: Close existing release PRs for this package
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_PREFIX: ${{ steps.version.outputs.tag_prefix }}
         run: |
-          prefix="release/${{ steps.version.outputs.tag_prefix }}-v"
+          prefix="release/${TAG_PREFIX}-v"
           gh pr list --state open --json number,headRefName \
             --jq ".[] | select(.headRefName | startswith(\"$prefix\")) | .number" | while read -r pr; do
             echo "Superseding release PR #$pr"
@@ -129,23 +137,25 @@ jobs:
       - name: Create release PR
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ steps.version.outputs.version }}
+          TAG_PREFIX: ${{ steps.version.outputs.tag_prefix }}
+          INPUT_BRANCH: ${{ inputs.branch }}
+          INPUT_PACKAGE: ${{ inputs.package }}
         run: |
-          version="${{ steps.version.outputs.version }}"
-          tag_prefix="${{ steps.version.outputs.tag_prefix }}"
-          branch="release/${tag_prefix}-v${version}"
+          branch="release/${TAG_PREFIX}-v${VERSION}"
 
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
           git checkout -b "$branch"
           git add -A
-          git commit -m "${tag_prefix}-v${version}"
+          git commit -m "${TAG_PREFIX}-v${VERSION}"
           git push --force origin "$branch"
 
           gh pr create \
-            --base "${{ inputs.branch }}" \
+            --base "$INPUT_BRANCH" \
             --head "$branch" \
-            --title "${{ inputs.package }} v${version}" \
-            --body "Merging this PR will publish **${{ inputs.package }}** v${version} to PyPI." \
+            --title "${INPUT_PACKAGE} v${VERSION}" \
+            --body "Merging this PR will publish **${INPUT_PACKAGE}** v${VERSION} to PyPI." \
             --label "release"
 
   # ── Step 2: Publish on merge ──────────────────────────────────
@@ -162,10 +172,11 @@ jobs:
     steps:
       - name: Parse release branch
         id: detect
+        env:
+          HEAD_REF: ${{ github.event.pull_request.head.ref }}
         run: |
-          branch="${{ github.event.pull_request.head.ref }}"
           # branch is like release/rtc-v1.2.0, release/api-v1.1.1, release/protocol-v1.1.5
-          ref="${branch#release/}"
+          ref="${HEAD_REF#release/}"
           prefix="${ref%%-v*}"
 
           case "$prefix" in
@@ -187,11 +198,13 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Create git tag
+        env:
+          TAG: ${{ needs.detect.outputs.tag }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
-          git tag "${{ needs.detect.outputs.tag }}"
-          git push origin "${{ needs.detect.outputs.tag }}"
+          git tag "$TAG"
+          git push origin "$TAG"
 
   # ── RTC builds (multi-platform) ──────────────────────────────
   build-rtc:
diff --git a/.github/workflows/release-gate.yml b/.github/workflows/release-gate.yml
@@ -14,14 +14,15 @@ permissions:
 jobs:
   release-gate:
     name: Release gate
-    if: startsWith(github.event.pull_request.head.ref, 'release/v')
+    if: startsWith(github.event.pull_request.head.ref, 'release/')
     runs-on: ubuntu-latest
     steps:
       - name: Verify PR was created by GitHub Actions
+        env:
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
         run: |
-          author="${{ github.event.pull_request.user.login }}"
-          if [ "$author" != "github-actions[bot]" ]; then
-            echo "::error::Release PRs must be created by the publish workflow, not by '$author'"
+          if [ "$PR_AUTHOR" != "github-actions[bot]" ]; then
+            echo "::error::Release PRs must be created by the publish workflow, not by '$PR_AUTHOR'"
             exit 1
           fi
 
@@ -30,7 +31,7 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           approvals=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/reviews \
-            --jq '[.[] | select(.state == "APPROVED")] | length')
+            --jq '[.[] | select(.state == "APPROVED") | .user.login] | unique | length')
           echo "Approvals: $approvals"
           if [ "$approvals" -lt 2 ]; then
             echo "::error::Release PRs require at least 2 approvals (got $approvals)"
