ci: set an allowlist to publish packages

hoolioh · hoolioh · commit 552d4859bf8b · 2026-02-16T11:25:54.000+01:00
diff --git a/.github/workflows/release-proposal-dispatch.yml b/.github/workflows/release-proposal-dispatch.yml
@@ -55,6 +55,30 @@ jobs:
           fi
           echo "No release proposal is ongoing."
 
+  check-membership:
+    permissions:
+      id-token: write # Enable OIDC
+    steps:
+      - uses: DataDog/dd-octo-sts-action@08f2144903ced3254a3dafec2592563409ba2aa0 # v1.0.1
+        id: octo-sts
+        with:
+          scope: DataDog/libdatadog  # target repository
+          policy: self.read.members  # trust policy in target repo, without the .sts.yaml extension
+
+      - name: Check if user is in the team allowed to make crate releases
+        id: check
+        uses: TheModdingInquisition/actions-team-membership@057d91bb80f2976a1bc6dfab5b4ae1da9aebbd89 #v1.0.1
+        with:
+          team: 'apm-common-components-core'
+          organization: 'Datadog'
+          token: ${{ steps.octo-sts.outputs.token }} # Needs 'read:org' scope
+          exit: false
+
+      - name: Check output
+        run: |
+          echo "User is permitted: ${{ steps.check.outputs.permitted }}"
+          echo "Teams: ${{ steps.check.outputs.teams }}"
+    
   update-release-branch:
     permissions:
       id-token: write # Enable OIDC
