From 8bd3b4933495084565c0b24f84f58d08c4070136 Mon Sep 17 00:00:00 2001
From: Javier Bullrich <javier@bullrich.dev>
Date: Sun, 17 Sep 2023 22:09:27 -0300
Subject: [PATCH] add review-bot to require fellows as reviewers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Created a Github Action that uses the [Review-Bot app](https://github.com/paritytech/review-bot) to require fellows to review pull requests before allowing the PR to be merged.

The user's information is fetched always from the chain after every event.

It looks in the fellows data for a field named GitHub and it extracts the handle from there. This resolves #7 (you can find more information about the request there)

This uses [`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target) for the event, not `pull_request`. This is a security measure so that an attacker doesn’t have access to the secrets.
---
 .github/review-bot.yml           | 42 ++++++++++++++++++++++++++++++++
 .github/workflows/review-bot.yml | 32 ++++++++++++++++++++++++
 2 files changed, 74 insertions(+)
 create mode 100644 .github/review-bot.yml
 create mode 100644 .github/workflows/review-bot.yml

diff --git a/.github/review-bot.yml b/.github/review-bot.yml
new file mode 100644
index 0000000000..13aad08ac6
--- /dev/null
+++ b/.github/review-bot.yml
@@ -0,0 +1,42 @@
+rules:
+  - name: CI Files
+    condition:
+      include:
+        - ^\.github/.*
+    type: basic
+    minFellowsRank: 2
+  - name: Relay files
+    condition:
+      include:
+        - ^relay\/kusama\/.*
+        - ^relay\/polkadot\/.*
+      exclude: 
+        - ^relay\/.+\.adoc$
+    type: basic
+    minFellowsRank: 4
+  - name: System Parachain Files
+    condition:
+      include:
+        - ^system-parachains\/.*
+    type: basic
+    minFellowsRank: 2
+  - name: Target Files
+    condition:
+      include:
+        - ^target\/.*
+      exclude: 
+        - 'README.md'
+    type: basic
+    minFellowsRank: 4
+  - name: General Files
+    condition:
+      include:
+        - '.*'
+      exclude: 
+        - ^relay\/kusama\/.*
+        - ^relay\/polkadot\/.*
+        - ^\.github/.*
+        - ^system-parachains\/.*
+        - ^target\/.*
+    type: basic
+    minFellowsRank: 1
diff --git a/.github/workflows/review-bot.yml b/.github/workflows/review-bot.yml
new file mode 100644
index 0000000000..b4eca7688d
--- /dev/null
+++ b/.github/workflows/review-bot.yml
@@ -0,0 +1,32 @@
+name: Review PR
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - review_requested
+      - review_request_removed
+      - ready_for_review
+  pull_request_review:
+
+permissions:
+  contents: read
+  checks: write
+
+jobs:
+  review-approvals:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate token
+        id: team_token
+        uses: tibdex/github-app-token@v1
+        with:
+          app_id: ${{ secrets.REVIEW_APP_ID }}
+          private_key: ${{ secrets.REVIEW_APP_KEY }}
+      - name: "Evaluates PR reviews and assigns reviewers"
+        uses: paritytech/review-bot@v1.1.0
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          team-token: ${{ steps.team_token.outputs.token }}
+          checks-token: ${{ steps.team_token.outputs.token }}