From 4384c613afc936048e91572a7ca14dc2029acad8 Mon Sep 17 00:00:00 2001
From: Javier Bullrich <javier@bullrich.dev>
Date: Thu, 28 Sep 2023 12:59:35 +0200
Subject: [PATCH] Added `review-bot` to fine tune review requirements (#1673)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Created a Github Action that uses the [Review-Bot
app](https://github.com/paritytech/review-bot) to require more fine
tuned requirements to review pull requests before allowing the PR to be
merged.

This uses
[`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target)
for the event, not `pull_request`. This is a security measure so that an
attacker doesn’t have access to the secrets.

All the rules have been copied from the original
`.github/pr-custom-review.yml` file.

I want to clarify, this particular commit is **not intended to replace
PRCR yet**.

# Advantages it brings over `PRCR`

Most of the features available in `PRCR` have been duplicated and
enhanced. For a complete detailed write up, please see:
- paritytech/pr-custom-review#114 -> Proposal for the rewrite
- [Review Bot
Documentation](https://github.com/paritytech/review-bot/blob/main/README.md)

The most important features are:
- `include` and `exclude` fields now accept an array, making it easier
to read the regular expressions.
- Ability to skip a rule
- We can set that PRs coming from a particular user or team will cause
the rule to be skipped.
- This is used in the `Audit rule`, which was requested by
@the-right-joyce.
  - This resolves paritytech/pr-custom-review#136
- Ability to request fellows instead of teams
- As requested in polkadot-fellows/runtimes#7, this bot has the ability
to request fellows by rank instead of users.
- We currently have polkadot-fellows/runtimes#31 which is using that
feature.

Aside from all the rules available in `PRCR` I have added a particular
rule to lock the review-bot files and require a review from the
`locks-review` team, the @paritytech/ci team and the
@paritytech/opstooling team to ensure that the file has been written
correctly.

## Next steps

The next steps will consist on paritytech/review-bot#53, once this issue
has been resolved, and `review-bot` has worked without any issues on
this repository for a while, we will upgrade it to be able to fully
replace `PRCR`.
---
 .github/review-bot.yml           | 121 +++++++++++++++++++++++++++++++
 .github/workflows/review-bot.yml |  31 ++++++++
 2 files changed, 152 insertions(+)
 create mode 100644 .github/review-bot.yml
 create mode 100644 .github/workflows/review-bot.yml

diff --git a/.github/review-bot.yml b/.github/review-bot.yml
new file mode 100644
index 0000000000..c9eadd6e58
--- /dev/null
+++ b/.github/review-bot.yml
@@ -0,0 +1,121 @@
+rules:
+  - name: CI files
+    condition:
+      include: 
+        - ^\.gitlab-ci\.yml
+        - ^docker/.*
+        - ^\.github/.*
+        - ^\.gitlab/.*
+        - ^\.config/nextest.toml
+        - ^\.cargo/.*
+      exclude: 
+        - ^./gitlab/pipeline/zombienet.*
+    min_approvals: 2
+    type: basic
+    teams:
+      - ci
+      - release-engineering
+
+  - name: Audit rules
+    type: basic
+    condition:
+      include: 
+        - ^polkadot/runtime\/(kusama|polkadot|common)\/.*
+        - ^polkadot/primitives/src\/.+\.rs$
+        - ^substrate/primitives/.*
+        - ^substrate/frame/.*
+      exclude: 
+        - ^polkadot/runtime\/(kusama|polkadot)\/src\/weights\/.+\.rs$
+        - ^substrate\/frame\/.+\.md$
+    min_approvals: 1
+    allowedToSkipRule:
+      teams:
+        - core-devs
+    teams:
+      - srlabs
+
+  - name: Core developers
+    countAuthor: true
+    condition:
+      include:
+        - .*
+      # excluding files from 'Runtime files' and 'CI files' rules
+      exclude:
+        - ^polkadot/runtime/(kusama|polkadot)/src/[^/]+\.rs$
+        - ^cumulus/parachains/runtimes/assets/(asset-hub-kusama|asset-hub-polkadot)/src/[^/]+\.rs$
+        - ^cumulus/parachains/runtimes/bridge-hubs/(bridge-hub-kusama|bridge-hub-polkadot)/src/[^/]+\.rs$
+        - ^cumulus/parachains/runtimes/collectives/collectives-polkadot/src/[^/]+\.rs$
+        - ^cumulus/parachains/common/src/[^/]+\.rs$
+        - ^substrate/frame/(?!.*(nfts/.*|uniques/.*|babe/.*|grandpa/.*|beefy|merkle-mountain-range/.*|contracts/.*|election|nomination-pools/.*|staking/.*|aura/.*))
+        - ^polkadot/runtime/(kusama|polkadot)/src/[^/]+\.rs$
+        - ^\.gitlab-ci\.yml
+        - ^docker/.*
+        - ^\.github/.*
+        - ^\.gitlab/.*
+        - ^\.config/nextest.toml
+        - ^\.cargo/.*
+    min_approvals: 2
+    type: basic
+    teams:
+      - core-devs
+
+  # cumulus
+  - name: Runtime files cumulus
+    countAuthor: true
+    condition:
+      include:
+        - ^cumulus/parachains/runtimes/assets/(asset-hub-kusama|asset-hub-polkadot)/src/[^/]+\.rs$
+        - ^cumulus/parachains/runtimes/bridge-hubs/(bridge-hub-kusama|bridge-hub-polkadot)/src/[^/]+\.rs$
+        - ^cumulus/parachains/runtimes/collectives/collectives-polkadot/src/[^/]+\.rs$
+        - ^cumulus/parachains/common/src/[^/]+\.rs$
+    type: and-distinct
+    reviewers:
+      - min_approvals: 1
+        teams:
+          - locks-review
+      - min_approvals: 1
+        teams:
+          - polkadot-review
+
+  # if there are any changes in the bridges subtree (in case of backport changes back to bridges repo)
+  - name: Bridges subtree files
+    type: basic
+    condition: 
+      include:
+        - ^bridges/.*
+    min_approvals: 1
+    teams:
+      - bridges-core
+
+  # substrate
+
+  - name: FRAME coders substrate
+    condition:
+      include: 
+        - ^substrate/frame/(?!.*(nfts/.*|uniques/.*|babe/.*|grandpa/.*|beefy|merkle-mountain-range/.*|contracts/.*|election|nomination-pools/.*|staking/.*|aura/.*))
+    type: "and"
+    reviewers:
+      - min_approvals: 2
+        teams:
+          - core-devs
+      - min_approvals: 1
+        teams:
+          - frame-coders
+
+  # Protection of THIS file
+  - name: Review Bot
+    condition:
+      include: 
+        - review-bot\.yml
+    min_approvals: 2
+    type: "and"
+    reviewers:
+      - min_approvals: 1
+        teams:
+          - opstooling
+      - min_approvals: 1
+        teams:
+          - locks-review
+      - min_approvals: 1
+        teams:
+          - ci
diff --git a/.github/workflows/review-bot.yml b/.github/workflows/review-bot.yml
new file mode 100644
index 0000000000..aeb33b5da3
--- /dev/null
+++ b/.github/workflows/review-bot.yml
@@ -0,0 +1,31 @@
+name: Review PR
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - review_requested
+      - review_request_removed
+      - ready_for_review
+  pull_request_review:
+
+permissions:
+  contents: read
+
+jobs:
+  review-approvals:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate token
+        id: team_token
+        uses: tibdex/github-app-token@v1
+        with:
+          app_id: ${{ secrets.REVIEW_APP_ID }}
+          private_key: ${{ secrets.REVIEW_APP_KEY }}
+      - name: "Evaluates PR reviews and assigns reviewers"
+        uses: paritytech/review-bot@v1.1.0
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          team-token: ${{ steps.team_token.outputs.token }}
+          checks-token: ${{ steps.team_token.outputs.token }}