WIP: add job to whitelist users #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Check membership | |
| on: | |
| push: | |
| branches: | |
| - julio/publising/add-job-to-whitelist-crate-releases | |
| workflow_dispatch: | |
| # pull_request: | |
| # types: [opened, edited] | |
| jobs: | |
| get-token: | |
| name: read contents of another repo | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write # Needed to federate tokens. | |
| outputs: | |
| sts_token: ${{ steps.octo-sts.outputs.token }} | |
| steps: | |
| - uses: DataDog/dd-octo-sts-action@08f2144903ced3254a3dafec2592563409ba2aa0 # v1.0.1 | |
| id: octo-sts | |
| with: | |
| scope: DataDog/libdatadog # target repository | |
| policy: YOUR_POLICY # trust policy in target repo, without the .sts.yaml extension | |
| - name: Use GH token | |
| run: | | |
| gh auth status | |
| gh repo list --visibility=internal DataDog | |
| env: | |
| GH_TOKEN: ${{ steps.octo-sts.outputs.token }} | |
| GH_PAGER: cat # (unrelated) needed to disable paging of gh cli | |
| check-membership: | |
| runs-on: ubuntu-latest | |
| needs: get-token | |
| steps: | |
| - name: Check if user is in the team allowed to make crate releases | |
| id: check | |
| uses: TheModdingInquisition/actions-team-membership@057d91bb80f2976a1bc6dfab5b4ae1da9aebbd89 #v1.0.1 | |
| with: | |
| team: 'libdatadog-owners' | |
| organization: 'Datadog' | |
| token: ${{ needs.get-token.outputs.sts_token }} # Needs 'read:org' scope | |
| exit: false | |
| - name: Check output | |
| run: | | |
| echo "User is permitted: ${{ steps.check.outputs.permitted }}" | |
| echo "Teams: ${{ steps.check.outputs.teams }}" | |