Add require approval stage so only maintainers can start CI stage wit…

…hout approval

Signed-off-by: Peter Zhu <[email protected]>

.github/workflows/CI-workflow.yml

@@ -14,13 +14,16 @@ permissions:
   contents: read
 
 jobs:
+  Get-Require-Approval:
+    uses: ./.github/workflows/require-approval.yml
+
   Get-CI-Image-Tag:
     uses: opensearch-project/opensearch-build/.github/workflows/get-ci-image-tag.yml@main
     with:
       product: opensearch
 
   Build-ml-linux:
-    needs: Get-CI-Image-Tag
+    needs: [Get-Require-Approval, Get-CI-Image-Tag]
     strategy:
       matrix:
         java: [21]
@@ -29,7 +32,7 @@ jobs:
 
     name: Build and Test MLCommons Plugin on linux
     if: github.repository == 'opensearch-project/ml-commons'
-    environment: ml-commons-cicd-env
+    environment: ${{ needs.Get-Require-Approval.outputs.is-require-approval }}
     outputs:
       build-test-linux: ${{ steps.step-build-test-linux.outputs.build-test-linux }}
     runs-on: ubuntu-latest
@@ -87,14 +90,14 @@ jobs:
 
 
   Test-ml-linux-docker:
-    needs: Build-ml-linux
+    needs: [Get-Require-Approval, Build-ml-linux]
     strategy:
       matrix:
         java: [21]
 
     name: Test MLCommons Plugin on linux docker
     if: github.repository == 'opensearch-project/ml-commons'
-    environment: ml-commons-cicd-env
+    environment: ${{ needs.Get-Require-Approval.outputs.is-require-approval }}
     runs-on: ubuntu-latest
 
     steps:
@@ -189,7 +192,8 @@ jobs:
         java: [21]
     name: Build and Test MLCommons Plugin on Windows
     if: github.repository == 'opensearch-project/ml-commons'
-    environment: ml-commons-cicd-env
+    needs: [Get-Require-Approval]
+    environment: ${{ needs.Get-Require-Approval.outputs.is-require-approval }}
     runs-on: windows-latest
 
     steps:

.github/workflows/require-approval.yml

@@ -0,0 +1,36 @@
+---
+name: Check if the workflow require approval
+on:
+  workflow_call:
+    outputs:
+      is-require-approval:
+        description: The ci image version for linux build
+        value: ${{ jobs.Require-Approval.outputs.output-is-require-approval }}
+
+jobs:
+  Require-Approval:
+    runs-on: ubuntu-latest
+    outputs:
+      output-is-require-approval: ${{ steps.step-is-require-approval.outputs.is-require-approval }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.base.sha }}
+      - name: Get CodeOwner List
+        id: step-is-require-approval
+        run: |
+          github_event = $${{ github.event_name }}
+          if [[ "$github_event" = "push" ]]; then
+            echo "Push event does not need approval"
+            echo "is-require-approval=ml-commons-cicd-env" >> $GITHUB_OUTPUT
+          else
+            approvers=$(cat .github/CODEOWNERS | grep @ | tr -d '* ' | sed 's/@/,/g' | sed 's/,//1')
+            author=${{ github.event.pull_request.user.login }}
+            if [[ "$approvers" =~ "$author" ]]; then
+              echo "$authoer is in the approval list"
+              echo "is-require-approval=ml-commons-cicd-env" >> $GITHUB_OUTPUT
+            else
+              echo "$author is not in the approval list"
+              echo "is-require-approval=ml-commons-cicd-env-require-approval" >> $GITHUB_OUTPUT
+            fi
+          fi