Create 2 tiered approval system

nvaccess · Aug 14, 2023 · 2734962 · 2734962
1 parent 3b22078
commit 2734962
Show file tree

Hide file tree

Showing 5 changed files with 116 additions and 61 deletions.
diff --git a/.github/workflows/checkAndSubmitAddonMetadata.yml b/.github/workflows/checkAndSubmitAddonMetadata.yml
@@ -14,8 +14,46 @@ on:
         type: string
 
 jobs:
-  verifySubmitter:
+  getAddonFilename:
     runs-on: windows-latest
+    strategy:
+      matrix:
+        python-version: [ 3.11 ]
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+    outputs:
+      addonFileName: ${{ steps.getMetadata.outputs.result }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.headRef }}
+      - name: Create validation errors file
+        run: echo "" > validationErrors.md
+      - name: Determine files changed
+        uses: actions/github-script@v6
+        id: getMetadata
+        env:
+          pullRequestNumber: ${{ inputs.pullRequestNumber }}
+        with:
+          script: |
+            const getAddonFilename = require('./.github/workflows/checkFilesChanged.js')
+            const url = "GET /repos/" + process.env.GITHUB_REPOSITORY + "/pulls/" + process.env.pullRequestNumber + "/files" 
+            const result = await github.request(url)
+            return getAddonFilename(result.data)
+      - name: Post validation errors as comment
+        if: failure()
+        uses: peter-evans/create-or-update-comment@v2
+        with:
+          issue-number: ${{ inputs.issueNumber }}
+          body-file: ./validationErrors.md
+  verifySubmitter:
+    # jq for windows has issues parsing multiline strings (e.g. CRLF),
+    # use linux instead.
+    runs-on: ubuntu-latest
+    needs: [getAddonFilename]
     strategy:
       matrix:
         python-version: [ 3.11 ]
@@ -26,13 +64,44 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
-      - name: Check if submitter is registered
+      - name: Check if submitter is trusted to submit for this add-on or any add-on ID
         id: checkReg
-        run: if ($(jq '. | .[\"${{ github.actor_id }}\"] | length' submitters.json) -eq 0) {throw "Submitter not registered"}
-      - name: Add submitter to JSON file
+        run: |
+          addonId=$(
+            echo ${{ needs.getAddonFilename.outputs.addonFileName }} \
+            | sed -r "s|addons/(.*)/.*\.json|\1|g"
+          )
+          jqCode="
+          . | .[\"${{ github.actor_id }}\"]
+          | select(
+            .trustedSubmitter
+            or (
+              .addons
+              | index(\"$addonId\")
+            )
+          )
+          | length
+          "
+
+          if [$(jq "$jqCode" submitters.json) -lt 1]; then
+            echo "Submitter not registered for add-on"
+            exit 1
+          fi
+      - name: Add add-on ID and submitter to JSON file
         if: failure()
         run: |
-          $(jq '. += {\"${{ github.actor_id }}\": \"${{ github.actor }}\"}' submitters.json) | echo > submitters.json
+          addonId=$(
+            echo ${{ needs.getAddonFilename.outputs.addonFileName }} \
+            | sed -r "s|addons/(.*)/.*\.json|\1|g"
+          )
+          jqCode="
+          .[\"${{ github.actor_id }}\"].addons += [\"$addonId\"]
+          | .[\"${{ github.actor_id }}\"].githubName = \"${{ github.actor }}\"
+          "
+
+          mv submitters.json submitters.old.json
+          jq "$jqCode" submitters.old.json > submitters.json
+          rm submitters.old.json
       - name: Create submitter approval PR
         if: failure()
         id: addSubmitterPR
@@ -54,8 +123,7 @@ jobs:
             Please wait until #${{ steps.addSubmitterPR.outputs.pull-request-number }} is merged.
   checkMetadata:
     runs-on: windows-latest
-    outputs:
-      addonFileName: ${{ steps.getMetadata.outputs.result }}
+    needs: [getAddonFilename]
     permissions:
       issues: write
       pull-requests: write
@@ -69,17 +137,6 @@ jobs:
         ref: ${{ inputs.headRef }}
     - name: Create validation errors file
       run: echo "" > validationErrors.md
-    - name: Determine files changed
-      uses: actions/github-script@v6
-      id: getMetadata
-      env:
-        pullRequestNumber: ${{ inputs.pullRequestNumber }}
-      with:
-        script: |
-          const getAddonFilename = require('./.github/workflows/checkFilesChanged.js')
-          const url = "GET /repos/" + process.env.GITHUB_REPOSITORY + "/pulls/" + process.env.pullRequestNumber + "/files" 
-          const result = await github.request(url)
-          return getAddonFilename(result.data)
     - name: Checkout validate repo
       uses: actions/checkout@v3
       with:
@@ -96,7 +153,7 @@ jobs:
         repository: nvaccess/addon-datastore-transform
         path: transform
     - name: Validate metadata
-      run: validation/runvalidate ${{ steps.getMetadata.outputs.result }} ./transform/nvdaAPIVersions.json --output ./validationErrors.md
+      run: validation/runvalidate ${{ needs.getAddonFilename.outputs.addonFileName }} ./transform/nvdaAPIVersions.json --output ./validationErrors.md
     - name: Post validation errors as comment
       if: failure()
       uses: peter-evans/create-or-update-comment@v2
@@ -115,7 +172,7 @@ jobs:
       with:
         issue-number: ${{ inputs.issueNumber }}
   mergeToMaster:
-    needs: [checkMetadata, verifySubmitter]
+    needs: [getAddonFilename, checkMetadata, verifySubmitter]
     permissions:
       contents: write
       pull-requests: write
@@ -129,7 +186,7 @@ jobs:
       with:
         source_ref: ${{ inputs.headRef }}
         target_branch: master
-        commit_message_template: '[Automated] Merged ${{ needs.checkMetadata.outputs.addonFileName }} (#${{ inputs.pullRequestNumber }}) into master'
+        commit_message_template: '[Automated] Merged ${{ needs.getAddonFilename.outputs.addonFileName }} (#${{ inputs.pullRequestNumber }}) into master'
   call-workflow:
     needs: mergeToMaster
     uses: ./.github/workflows/transformDataToViews.yml
diff --git a/README.md b/README.md
@@ -20,12 +20,13 @@ The checksum allows NVDA to ensure that add-on releases are immutable.
 
 ### Human review process / code audit
 - NV Access doesn't require a manual review of the add-on (code or user experience) itself before the add-on submission.
+- NV Access manually maintains a list of approved submitters with permission to submit an add-on to the store
 - You are welcome to review code / UX of add-ons and provide that feedback directly to add-on authors.
 - The SHA256 checksum of the `.nvda-addon` prevents undetected changes.
 - Add-ons should comply with the [NVDA code of conduct](https://github.com/nvaccess/nvda/blob/master/CODE_OF_CONDUCT.md).
 Add-ons which are malicious or otherwise break the code of conduct can be removed by:
   - Opening a pull request to remove the submitted add-on metadata
-  - Sending an email to [email protected]
+  - Sending an email to <[email protected]>
 
 ### Non-exclusivity
 This system does not restrict add-on authors from developing, publishing, and distributing an add-on outside this store.

diff --git a/addons/IntelliJImproved/1.3.2.json b/addons/IntelliJImproved/1.3.2.json
diff --git a/docs/submitters/submissionGuide.md b/docs/submitters/submissionGuide.md
@@ -1,8 +1,6 @@
 # Submission Guide
 If your add-on was hosted on [addonFiles](https://github.com/nvaccess/addonFiles) please read the [migrating to datastore guide](./migratingFromAddonFiles.md).
 
-Submitted add-ons should comply with the [NVDA code of conduct](https://github.com/nvaccess/nvda/blob/master/CODE_OF_CONDUCT.md)
-
 ## Background
 Submitting an add-on version is done via a GitHub issue form.
 A JSON metadata file is generated from the issue form and the add-on's manifest.
@@ -13,9 +11,17 @@ Automated validation checks are run against the pull request.
 If there are validation errors, they will be commented on the pull request.
 Otherwise, the pull request will be merged, the issue will be closed and the add-on will become available in the Add-on Store.
 
-It is expected that submitters do not hijack add-on IDs by submitting an add-on which shares an add-on ID of an existing add-on.
-If you are an add-on author and your add-on ID has been hijacked, please open an issue or contact <[email protected]>.
-Submitters which abuse this process will have their submission approval revoked.
+### Approval process
+Publishers must be approved to submit add-ons, on a per add-on basis.
+If you do not maintain the submitted add-on's repository, it is expected that you have authorisation to publish the add-on from the authors.
+
+If you submit many add-ons you may be granted trusted submitter status, which allows you to publish/submit for all add-ons.
+It is expected that trusted submitters do not abuse this process.
+
+Submitted add-ons should comply with the [NVDA code of conduct](https://github.com/nvaccess/nvda/blob/master/CODE_OF_CONDUCT.md).
+
+Submitters which abuse the submission process will have their submitter approval revoked.
+Please report any issues with submitted add-ons to <[email protected]>.
 
 ## Steps to submit an add-on
 1. Select ["Add-on registration" from the new issue options](https://github.com/nvaccess/addon-datastore/issues/new/choose).

diff --git a/submitters.json b/submitters.json
@@ -1,7 +1,27 @@
 {
-  "7090342": "seanbudd",
-  "15809252": "nvdaes",
-  "7867280": "josephsl",
-  "8139760": "XLTechie",
-  "75214948": "RPTools-org"
+  "15809252": {
+    "githubName": "nvdaes",
+    "trustedSubmitter": true
+  },
+  "7867280": {
+    "githubName": "josephsl",
+    "trustedSubmitter": true
+  },
+  "8139760": {
+    "githubName": "XLTechie",
+    "trustedSubmitter": true
+  },
+  "16865203": {
+    "githubName": "CyrilleB79",
+    "trustedSubmitter": true
+  },
+  "75214948": {
+    "githubName": "RPTools-org",
+    "addons": [
+        "controlTypeBeforeLabel",
+        "filezilla",
+        "landropPlus",
+        "thunderbirdPlus"
+    ]
+  }
 }