workflows: dismiss reviews if bottle publish failed (#54324)

Reviews could be automatically dismissed on new commits pushed (there is
an option for that in repository settings on Github). That is not the
case for labels. They remain attached to a PR, even when new commits are
pushed. This is undesirable and creates security concerns, because
someone could introduce untested code just before the automerge happens.

.github/workflows/publish-commit-bottles.yml

@@ -100,13 +100,13 @@ jobs:
             const run_id = process.env.GITHUB_RUN_ID
             const actor = context.actor
             const pr = context.payload.client_payload.pull_request
+            const repository = context.repo.owner + '/' + context.repo.repo
+            const url = 'https://github.com/' + repository + '/actions/runs/' + run_id
+
             console.log("run_id=" + run_id)
             console.log("actor=" + actor)
             console.log("pr=" + pr)
 
-            const repository = context.repo.owner + '/' + context.repo.repo
-            const url = 'https://github.com/' + repository + '/actions/runs/' + run_id
-
             let comment = ':warning: '
             if (actor != 'BrewTestBot') {
                 comment += '@' + actor
@@ -120,8 +120,19 @@ jobs:
               body: comment
             })
 
-            github.issues.removeLabel({
+            const reviews = await github.pulls.listReviews({
               ...context.repo,
-              issue_number: pr,
-              name: "ready to merge"
+              pull_number: pr
             })
+
+            for (const review of reviews.data) {
+              if (review.state != "APPROVED")
+                continue
+
+              github.pulls.dismissReview({
+                ...context.repo,
+                pull_number: pr,
+                review_id: review.id,
+                message: "bottle publish failed"
+              });
+            }