From b100401e297f12a227517cd9b94333f0ae968c3b Mon Sep 17 00:00:00 2001
From: Brad Rydzewski <brad.rydzewski@gmail.com>
Date: Sat, 18 Mar 2017 23:40:12 +0800
Subject: [PATCH] only force approval when secrets exposed

---
 server/hook.go | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/server/hook.go b/server/hook.go
index 0a30dfe1..42f30f38 100644
--- a/server/hook.go
+++ b/server/hook.go
@@ -155,10 +155,28 @@ func PostHook(c *gin.Context) {
 		}
 	}
 
-	// TODO default logic should avoid the approval if all
-	// secrets have skip-verify flag
+	secs, err := store.GetMergedSecretList(c, repo)
+	if err != nil {
+		logrus.Debugf("Error getting secrets for %s#%d. %s", repo.FullName, build.Number, err)
+	}
 
+	var mustApprove bool
 	if build.Event == model.EventPull {
+		for _, sec := range secs {
+			if sec.SkipVerify {
+				continue
+			}
+			if sec.MatchEvent(model.EventPull) {
+				mustApprove = true
+				break
+			}
+		}
+		if !mustApprove {
+			logrus.Debugf("no secrets exposed to pull_request: status: accepted")
+		}
+	}
+
+	if build.Event == model.EventPull && mustApprove {
 		old, ferr := remote_.FileRef(user, repo, build.Branch, cfg.Yaml)
 		if ferr != nil {
 			build.Status = model.StatusBlocked
@@ -219,10 +237,6 @@ func PostHook(c *gin.Context) {
 	// get the previous build so that we can send
 	// on status change notifications
 	last, _ := store.GetBuildLastBefore(c, repo, build.Branch, build.ID)
-	secs, err := store.GetMergedSecretList(c, repo)
-	if err != nil {
-		logrus.Debugf("Error getting secrets for %s#%d. %s", repo.FullName, build.Number, err)
-	}
 
 	//
 	// BELOW: NEW