hotfix-review-monitor.yml

  1# Hotfix Review Monitor
  2#
  3# Runs daily and checks for merged PRs with the 'hotfix' label that have not
  4# received a post-merge review approval within one business day. Posts a summary to
  5# Slack if any are found. This is a SOC2 compensating control for the
  6# emergency hotfix fast path.
  7#
  8# Security note: No untrusted input (PR titles, bodies, etc.) is interpolated
  9# into shell commands. All PR metadata is read via gh API + jq, not via
 10# github.event context expressions.
 11#
 12# Required secrets:
 13#   SLACK_WEBHOOK_PR_REVIEW_BOT - Incoming webhook URL for the #pr-review-ops channel
 14
 15name: Hotfix Review Monitor
 16
 17on:
 18  schedule:
 19    - cron: "30 13 * * 1-5" # 1:30 PM UTC weekdays
 20  workflow_dispatch: {}
 21
 22permissions:
 23  contents: read
 24  pull-requests: read
 25
 26jobs:
 27  check-hotfix-reviews:
 28    if: github.repository_owner == 'zed-industries'
 29    runs-on: ubuntu-latest
 30    timeout-minutes: 5
 31    env:
 32      REPO: ${{ github.repository }}
 33    steps:
 34      - name: Find unreviewed hotfixes
 35        id: check
 36        env:
 37          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 38        run: |
 39          # 80h lookback covers the Friday-to-Monday gap (72h) with buffer.
 40          # Overlap on weekdays is harmless — reviewed PRs are filtered out below.
 41          SINCE=$(date -u -v-80H +%Y-%m-%dT%H:%M:%SZ 2>/dev/null \
 42            || date -u -d '80 hours ago' +%Y-%m-%dT%H:%M:%SZ)
 43          SINCE_DATE=$(echo "$SINCE" | cut -dT -f1)
 44
 45          # Use the Search API to find hotfix PRs merged in the lookback window.
 46          # The Pulls API with state=closed paginates through all closed PRs in
 47          # the repo, which times out on large repos. The Search API supports
 48          # merged:>DATE natively so GitHub does the filtering server-side.
 49          gh api --paginate \
 50            "search/issues?q=repo:${REPO}+is:pr+is:merged+label:hotfix+merged:>${SINCE_DATE}&per_page=100" \
 51            --jq '[.items[] | {number, title, merged_at: .pull_request.merged_at}]' \
 52            > /tmp/hotfix_prs.json
 53
 54          # Check each hotfix PR for a post-merge approving review
 55          jq -r '.[].number' /tmp/hotfix_prs.json | while read -r PR_NUMBER; do
 56            APPROVALS=$(gh api \
 57              "repos/${REPO}/pulls/${PR_NUMBER}/reviews" \
 58              --jq "[.[] | select(.state == \"APPROVED\")] | length")
 59
 60            if [ "$APPROVALS" -eq 0 ]; then
 61              jq ".[] | select(.number == ${PR_NUMBER})" /tmp/hotfix_prs.json
 62            fi
 63          done | jq -s '.' > /tmp/unreviewed.json
 64
 65          COUNT=$(jq 'length' /tmp/unreviewed.json)
 66          echo "count=$COUNT" >> "$GITHUB_OUTPUT"
 67
 68      - name: Notify Slack
 69        if: steps.check.outputs.count != '0'
 70        env:
 71          SLACK_WEBHOOK_PR_REVIEW_BOT: ${{ secrets.SLACK_WEBHOOK_PR_REVIEW_BOT }}
 72          COUNT: ${{ steps.check.outputs.count }}
 73        run: |
 74          # Build Block Kit payload from JSON — no shell interpolation of PR titles.
 75          # Why jq? PR titles are attacker-controllable input. By reading them
 76          # through jq -r from the JSON file and passing the result to jq --arg,
 77          # the content stays safely JSON-encoded in the final payload. Block Kit
 78          # doesn't change this — the same jq pipeline feeds into the blocks
 79          # structure instead of plain text.
 80          PRS=$(jq -r '.[] | "• <https://github.com/'"${REPO}"'/pull/\(.number)|#\(.number)> — \(.title) (merged \(.merged_at | split("T")[0]))"' /tmp/unreviewed.json)
 81
 82          jq -n \
 83            --arg count "$COUNT" \
 84            --arg prs "$PRS" \
 85            '{
 86              text: ($count + " hotfix PR(s) still need post-merge review"),
 87              blocks: [
 88                {
 89                  type: "section",
 90                  text: {
 91                    type: "mrkdwn",
 92                    text: (":rotating_light: *" + $count + " Hotfix PR(s) Need Post-Merge Review*")
 93                  }
 94                },
 95                {
 96                  type: "section",
 97                  text: { type: "mrkdwn", text: $prs }
 98                },
 99                { type: "divider" },
100                {
101                  type: "context",
102                  elements: [{
103                    type: "mrkdwn",
104                    text: "Hotfix PRs require review within one business day of merge."
105                  }]
106                }
107              ]
108            }' | \
109          curl -s -X POST "$SLACK_WEBHOOK_PR_REVIEW_BOT" \
110            -H 'Content-Type: application/json' \
111            -d @-
112defaults:
113  run:
114    shell: bash -euxo pipefail {0}