NO-JIRA: DownStream Merge [06-15-2026]

.github/scripts/area-merge.js

@@ -0,0 +1,338 @@
+// Area Maintainer Merge Bot
+//
+// Parses CODEOWNERS to determine area maintainer authorization, then verifies
+// file scope and CI status before merging PRs via /area-maintainer-approved.
+//
+// Called from .github/workflows/area-merge.yml via actions/github-script.
+
+const fs = require('fs');
+
+module.exports = async ({ github, context, core }) => {
+  // --- Determine which PRs to process and who triggered ---
+  let pullNumbers = [];
+  let commenter = null;
+
+  if (context.eventName === 'issue_comment') {
+    pullNumbers.push(context.payload.issue.number);
+    commenter = context.payload.comment.user.login.toLowerCase();
+  } else if (context.eventName === 'check_suite') {
+    const suite = context.payload.check_suite;
+    for (const pr of (suite.pull_requests || [])) {
+      pullNumbers.push(pr.number);
+    }
+  }
+
+  if (pullNumbers.length === 0) {
+    core.info('No pull requests to process');
+    return;
+  }
+
+  // --- Parse CODEOWNERS ---
+  // Extracts two things:
+  //   1. Pattern rules: which users are listed on each file pattern line (for review assignment)
+  //   2. Area maintainers: parsed from section header comments matching
+  //      "Area Maintainer: @user1 @user2" — only these users can trigger merges
+  const codeownersContent = fs.readFileSync('CODEOWNERS', 'utf8');
+  const rules = [];
+  let currentAreaMaintainers = [];
+
+  for (const line of codeownersContent.split('\n')) {
+    const trimmed = line.trim();
+
+    // Parse area maintainer(s) from section header comments
+    // Format: # ... (Area Maintainer: @user1 @user2)
+    const maintainerMatch = trimmed.match(/Area Maintainer[s]?:\s*((?:@[\w-]+[\s,]*)+)/i);
+    if (maintainerMatch) {
+      currentAreaMaintainers = maintainerMatch[1]
+        .match(/@[\w-]+/g)
+        .map(u => u.replace('@', '').toLowerCase());
+      continue;
+    }
+
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const parts = trimmed.split(/\s+/);
+    if (parts.length < 2) continue;
+    const pattern = parts[0];
+    if (pattern === '*') continue;
+    const owners = parts.slice(1).map(o => o.replace('@', '').toLowerCase());
+    rules.push({ pattern, owners, areaMaintainers: [...currentAreaMaintainers] });
+  }
+
+  function matchPattern(pattern, filePath) {
+    const normalizedFile = '/' + filePath;
+    if (pattern.endsWith('/')) {
+      return normalizedFile.startsWith(pattern) ||
+             normalizedFile === pattern.slice(0, -1);
+    }
+    return normalizedFile === pattern;
+  }
+
+  // Last matching rule wins, mirroring CODEOWNERS precedence.
+  function findAreaMaintainers(filePath) {
+    let maintainers = null;
+    for (const rule of rules) {
+      if (matchPattern(rule.pattern, filePath)) {
+        maintainers = rule.areaMaintainers;
+      }
+    }
+    return maintainers;
+  }
+
+  async function fetchAllComments(prNumber) {
+    const allComments = [];
+    let page = 1;
+    while (true) {
+      const { data: comments } = await github.rest.issues.listComments({
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        issue_number: prNumber,
+        per_page: 100,
+        page: page,
+      });
+      if (comments.length === 0) break;
+      allComments.push(...comments);
+      if (comments.length < 100) break;
+      page++;
+    }
+    return allComments;
+  }
+
+  // --- Process each PR ---
+  for (const prNumber of pullNumbers) {
+    core.info(`Processing PR #${prNumber}`);
+
+    const { data: pr } = await github.rest.pulls.get({
+      owner: context.repo.owner,
+      repo: context.repo.repo,
+      pull_number: prNumber,
+    });
+
+    if (pr.state !== 'open') {
+      core.info(`PR #${prNumber} is ${pr.state}, skipping`);
+      continue;
+    }
+
+    // Prevent PR authors from merging their own PRs
+    const prAuthor = pr.user.login.toLowerCase();
+    if (commenter && commenter === prAuthor) {
+      core.info(`PR #${prNumber} author ${prAuthor} cannot approve their own PR`);
+      await github.rest.issues.createComment({
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        issue_number: prNumber,
+        body: `@${commenter} you cannot use \`/area-maintainer-approved\` on your own PR. ` +
+          `Another area maintainer or a repo maintainer must approve and merge it.`,
+      });
+      continue;
+    }
+
+    // For check_suite retries, find who previously ran /area-maintainer-approved
+    let requester = commenter;
+    let allComments = null;
+    if (!requester) {
+      allComments = await fetchAllComments(prNumber);
+      const mergeComment = [...allComments]
+        .reverse()
+        .find(c => c.body.includes('/area-maintainer-approved') &&
+                   c.user.login !== 'github-actions[bot]' &&
+                   c.user.login.toLowerCase() !== prAuthor);
+      if (mergeComment) {
+        requester = mergeComment.user.login.toLowerCase();
+      }
+    }
+
+    if (!requester) {
+      core.info(`No /area-maintainer-approved request found for PR #${prNumber}, skipping`);
+      continue;
+    }
+
+    // For check_suite, verify the bot posted a "waiting" comment for the current head SHA.
+    // If new commits were pushed after approval, the SHA won't match and we skip
+    // to prevent merging code the area maintainer never reviewed.
+    if (context.eventName === 'check_suite') {
+      if (!allComments) allComments = await fetchAllComments(prNumber);
+      const waitingMarker = `<!-- area-merge-sha:${pr.head.sha} -->`;
+      const isWaiting = allComments.some(c =>
+        c.user.login === 'github-actions[bot]' &&
+        c.body.includes(waitingMarker)
+      );
+      if (!isWaiting) {
+        core.info(`PR #${prNumber} has no waiting marker for current SHA ${pr.head.sha}, skipping`);
+        continue;
+      }
+    }
+
+    core.info(`/area-maintainer-approved requested by: ${requester}`);
+
+    // Get changed files (paginate for large PRs)
+    const changedFiles = [];
+    let page = 1;
+    while (true) {
+      const { data: files } = await github.rest.pulls.listFiles({
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        pull_number: prNumber,
+        per_page: 100,
+        page: page,
+      });
+      if (files.length === 0) break;
+      changedFiles.push(...files.map(f => f.filename));
+      if (files.length < 100) break;
+      page++;
+    }
+
+    core.info(`Changed files (${changedFiles.length}): ${changedFiles.join(', ')}`);
+
+    // Check authorization: requester must be an area maintainer for ALL changed files
+    const unauthorizedFiles = [];
+    for (const file of changedFiles) {
+      const maintainers = findAreaMaintainers(file);
+      if (!maintainers || !maintainers.includes(requester)) {
+        unauthorizedFiles.push(file);
+      }
+    }
+
+    if (unauthorizedFiles.length > 0) {
+      core.info(`Unauthorized files: ${unauthorizedFiles.join(', ')}`);
+      await github.rest.issues.createComment({
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        issue_number: prNumber,
+        body: `@${requester} cannot merge this PR via \`/area-maintainer-approved\`.\n\n` +
+          `You are not listed as an Area Maintainer for the following files in \`CODEOWNERS\`:\n` +
+          unauthorizedFiles.map(f => `- \`${f}\``).join('\n') +
+          `\n\nOnly area maintainers (listed in the \`Area Maintainer:\` section header in CODEOWNERS) can trigger merges. ` +
+          `A repo maintainer from \`ovn-kubernetes-committers\` is required to merge this PR.`,
+      });
+      continue;
+    }
+
+    // Check CI status
+    const ref = pr.head.sha;
+
+    const allCheckRuns = [];
+    let checkPage = 1;
+    while (true) {
+      const { data } = await github.rest.checks.listForRef({
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        ref: ref,
+        per_page: 100,
+        page: checkPage,
+      });
+      allCheckRuns.push(...data.check_runs);
+      if (allCheckRuns.length >= data.total_count) break;
+      checkPage++;
+    }
+
+    const { data: combinedStatus } = await github.rest.repos.getCombinedStatusForRef({
+      owner: context.repo.owner,
+      repo: context.repo.repo,
+      ref: ref,
+    });
+
+    const pendingChecks = [];
+    const failedChecks = [];
+
+    for (const run of allCheckRuns) {
+      if (run.name === 'area-merge') continue;
+      if (run.status !== 'completed') {
+        pendingChecks.push(run.name);
+      } else if (run.conclusion !== 'success' && run.conclusion !== 'neutral' && run.conclusion !== 'skipped') {
+        failedChecks.push(run.name);
+      }
+    }
+
+    // Gate on the aggregate state first — it covers ALL commit statuses
+    // regardless of pagination, so we never miss a failure or pending status.
+    // Then iterate the (possibly partial) statuses array for detailed names.
+    if (combinedStatus.state === 'failure') {
+      for (const status of combinedStatus.statuses) {
+        if (status.state === 'failure' || status.state === 'error') {
+          failedChecks.push(status.context);
+        }
+      }
+      if (failedChecks.length === 0) {
+        failedChecks.push('(commit status failure — details may be on a later page)');
+      }
+    } else if (combinedStatus.state === 'pending') {
+      for (const status of combinedStatus.statuses) {
+        if (status.state === 'pending') {
+          pendingChecks.push(status.context);
+        } else if (status.state === 'failure' || status.state === 'error') {
+          failedChecks.push(status.context);
+        }
+      }
+      if (pendingChecks.length === 0 && failedChecks.length === 0) {
+        pendingChecks.push('(commit status pending — details may be on a later page)');
+      }
+    }
+
+    if (failedChecks.length > 0) {
+      core.info(`Failed checks: ${failedChecks.join(', ')}`);
+      await github.rest.issues.createComment({
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        issue_number: prNumber,
+        body: `Cannot merge via \`/area-maintainer-approved\`: the following CI checks have failed:\n` +
+          failedChecks.map(c => `- \`${c}\``).join('\n') +
+          `\n\nPlease fix the failures and run \`/area-maintainer-approved\` again.`,
+      });
+      continue;
+    }
+
+    if (pendingChecks.length > 0) {
+      core.info(`Pending checks: ${pendingChecks.join(', ')}`);
+
+      const shaMarker = `<!-- area-merge-sha:${ref} -->`;
+      if (!allComments) allComments = await fetchAllComments(prNumber);
+      const alreadyWaiting = allComments.some(c =>
+        c.user.login === 'github-actions[bot]' &&
+        c.body.includes(shaMarker)
+      );
+      if (!alreadyWaiting) {
+        await github.rest.issues.createComment({
+          owner: context.repo.owner,
+          repo: context.repo.repo,
+          issue_number: prNumber,
+          body: `${shaMarker}\nArea maintainer @${requester} has approved this PR via \`/area-maintainer-approved\`. ` +
+            `Waiting on CI checks to complete — will merge automatically when all checks pass.\n\n` +
+            `Pending checks:\n` +
+            pendingChecks.map(c => `- \`${c}\``).join('\n'),
+        });
+      }
+      continue;
+    }
+
+    // All checks passed, authorized — merge!
+    core.info(`All checks passed. Merging PR #${prNumber}`);
+    try {
+      await github.rest.pulls.merge({
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        pull_number: prNumber,
+        sha: ref,
+        merge_method: 'merge',
+        commit_title: `Merge pull request #${prNumber} (/area-maintainer-approved by @${requester})`,
+      });
+
+      await github.rest.issues.createComment({
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        issue_number: prNumber,
+        body: `PR merged by area maintainer @${requester} via \`/area-maintainer-approved\`.`,
+      });
+
+      core.info(`Successfully merged PR #${prNumber}`);
+    } catch (e) {
+      core.setFailed(`Failed to merge PR #${prNumber}: ${e.message}`);
+      await github.rest.issues.createComment({
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        issue_number: prNumber,
+        body: `Failed to merge this PR: \`${e.message}\`\n\n` +
+          `A repo maintainer may need to merge manually.`,
+      });
+    }
+  }
+};

.github/workflows/area-merge.yml

@@ -0,0 +1,38 @@
+name: "Area Maintainer Merge"
+
+on:
+  issue_comment:
+    types: [created]
+  check_suite:
+    types: [completed]
+
+jobs:
+  area-merge:
+    if: >
+      (github.event_name == 'issue_comment' &&
+       github.event.issue.pull_request &&
+       contains(github.event.comment.body, '/area-maintainer-approved')) ||
+      github.event_name == 'check_suite'
+    permissions:
+      contents: write
+      pull-requests: write
+      checks: read
+      statuses: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout base branch (for CODEOWNERS and scripts)
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          sparse-checkout: |
+            CODEOWNERS
+            .github/scripts/area-merge.js
+          persist-credentials: false
+
+      - name: Area maintainer merge check
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const script = require('./.github/scripts/area-merge.js');
+            await script({ github, context, core });