1# Hotfix Review Monitor
2#
3# Runs daily and checks for merged PRs with the 'hotfix' label that have not
4# received a post-merge review approval within one business day. Posts a summary to
5# Slack if any are found. This is a SOC2 compensating control for the
6# emergency hotfix fast path.
7#
8# Security note: No untrusted input (PR titles, bodies, etc.) is interpolated
9# into shell commands. All PR metadata is read via gh API + jq, not via
10# github.event context expressions.
11#
12# Required secrets:
13# SLACK_WEBHOOK_PR_REVIEW_BOT - Incoming webhook URL for the #pr-review-ops channel
14
15name: Hotfix Review Monitor
16
17on:
18 schedule:
19 - cron: "30 13 * * 1-5" # 1:30 PM UTC weekdays
20 workflow_dispatch: {}
21
22permissions:
23 contents: read
24 pull-requests: read
25
26jobs:
27 check-hotfix-reviews:
28 if: github.repository_owner == 'zed-industries'
29 runs-on: ubuntu-latest
30 timeout-minutes: 5
31 env:
32 REPO: ${{ github.repository }}
33 steps:
34 - name: Find unreviewed hotfixes
35 id: check
36 env:
37 GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
38 run: |
39 # 80h lookback covers the Friday-to-Monday gap (72h) with buffer.
40 # Overlap on weekdays is harmless — reviewed PRs are filtered out below.
41 SINCE=$(date -u -v-80H +%Y-%m-%dT%H:%M:%SZ 2>/dev/null \
42 || date -u -d '80 hours ago' +%Y-%m-%dT%H:%M:%SZ)
43 SINCE_DATE=$(echo "$SINCE" | cut -dT -f1)
44
45 # Use the Search API to find hotfix PRs merged in the lookback window.
46 # The Pulls API with state=closed paginates through all closed PRs in
47 # the repo, which times out on large repos. The Search API supports
48 # merged:>DATE natively so GitHub does the filtering server-side.
49 gh api --paginate \
50 "search/issues?q=repo:${REPO}+is:pr+is:merged+label:hotfix+merged:>${SINCE_DATE}&per_page=100" \
51 --jq '[.items[] | {number, title, merged_at: .pull_request.merged_at}]' \
52 > /tmp/hotfix_prs.json
53
54 # Check each hotfix PR for a post-merge approving review
55 jq -r '.[].number' /tmp/hotfix_prs.json | while read -r PR_NUMBER; do
56 APPROVALS=$(gh api \
57 "repos/${REPO}/pulls/${PR_NUMBER}/reviews" \
58 --jq "[.[] | select(.state == \"APPROVED\")] | length")
59
60 if [ "$APPROVALS" -eq 0 ]; then
61 jq ".[] | select(.number == ${PR_NUMBER})" /tmp/hotfix_prs.json
62 fi
63 done | jq -s '.' > /tmp/unreviewed.json
64
65 COUNT=$(jq 'length' /tmp/unreviewed.json)
66 echo "count=$COUNT" >> "$GITHUB_OUTPUT"
67
68 - name: Notify Slack
69 if: steps.check.outputs.count != '0'
70 env:
71 SLACK_WEBHOOK_PR_REVIEW_BOT: ${{ secrets.SLACK_WEBHOOK_PR_REVIEW_BOT }}
72 COUNT: ${{ steps.check.outputs.count }}
73 run: |
74 # Build Block Kit payload from JSON — no shell interpolation of PR titles.
75 # Why jq? PR titles are attacker-controllable input. By reading them
76 # through jq -r from the JSON file and passing the result to jq --arg,
77 # the content stays safely JSON-encoded in the final payload. Block Kit
78 # doesn't change this — the same jq pipeline feeds into the blocks
79 # structure instead of plain text.
80 PRS=$(jq -r '.[] | "• <https://github.com/'"${REPO}"'/pull/\(.number)|#\(.number)> — \(.title) (merged \(.merged_at | split("T")[0]))"' /tmp/unreviewed.json)
81
82 jq -n \
83 --arg count "$COUNT" \
84 --arg prs "$PRS" \
85 '{
86 text: ($count + " hotfix PR(s) still need post-merge review"),
87 blocks: [
88 {
89 type: "section",
90 text: {
91 type: "mrkdwn",
92 text: (":rotating_light: *" + $count + " Hotfix PR(s) Need Post-Merge Review*")
93 }
94 },
95 {
96 type: "section",
97 text: { type: "mrkdwn", text: $prs }
98 },
99 { type: "divider" },
100 {
101 type: "context",
102 elements: [{
103 type: "mrkdwn",
104 text: "Hotfix PRs require review within one business day of merge."
105 }]
106 }
107 ]
108 }' | \
109 curl -s -X POST "$SLACK_WEBHOOK_PR_REVIEW_BOT" \
110 -H 'Content-Type: application/json' \
111 -d @-
112defaults:
113 run:
114 shell: bash -euxo pipefail {0}