1010 types : [opened, reopened, synchronize]
1111 branches :
1212 - main
13-
13+
14+ pull_request :
15+ types : [opened, reopened, synchronize]
1416
1517jobs :
1618 comment-on-pr :
@@ -19,73 +21,15 @@ jobs:
1921 pull-requests : write
2022
2123 steps :
22- # NOTE: The following checks may not be accurate depending on Org or Repo settings.
23- - name : Check user and potential secret access
24- id : check-secrets-access
25- env :
26- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
27- run : |
28- USER_LOGIN="${{ github.event.pull_request.user.login }}"
29- REPO_OWNER="${{ github.repository_owner }}"
30- REPO_NAME="${{ github.event.repository.name }}"
31-
32- echo "Pull request opened by: $USER_LOGIN"
33-
34- # Check if PR is from a fork
35- IS_FORK=$([[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]] && echo "true" || echo "false")
36-
37- HAS_ACCESS="false"
38-
39- # Check user's permission level on the repository
40- USER_PERMISSION=$(gh api repos/$REPO_OWNER/$REPO_NAME/collaborators/$USER_LOGIN/permission --jq '.permission')
41-
42- if [[ "$USER_PERMISSION" == "admin" || "$USER_PERMISSION" == "write" ]]; then
43- HAS_ACCESS="true"
44- elif [[ "$USER_PERMISSION" == "read" ]]; then
45- # For read access, we need to check if the user has been explicitly granted secret access
46- # This information is not directly available via API, so we'll make an assumption
47- # that read access does not imply secret access
48- HAS_ACCESS="false"
49- fi
50-
51- # Check if repo owner is an organization
52- IS_ORG=$(gh api users/$REPO_OWNER --jq '.type == "Organization"')
53-
54- if [[ "$IS_ORG" == "true" && "$HAS_ACCESS" == "false" ]]; then
55- # Check if user is a member of any team with write or admin access to the repo
56- TEAMS_WITH_ACCESS=$(gh api repos/$REPO_OWNER/$REPO_NAME/teams --jq '.[] | select(.permission == "push" or .permission == "admin") | .slug')
57- for team in $TEAMS_WITH_ACCESS; do
58- IS_TEAM_MEMBER=$(gh api orgs/$REPO_OWNER/teams/$team/memberships/$USER_LOGIN --silent && echo "true" || echo "false")
59- if [[ "$IS_TEAM_MEMBER" == "true" ]]; then
60- HAS_ACCESS="true"
61- break
62- fi
63- done
64- fi
65-
66- # If it's a fork, set HAS_ACCESS to false regardless of other checks
67- if [[ "$IS_FORK" == "true" ]]; then
68- HAS_ACCESS="false"
69- fi
70-
71- echo "has_secrets_access=$HAS_ACCESS" >> $GITHUB_OUTPUT
72- if [[ "$HAS_ACCESS" == "true" ]]; then
73- echo "User $USER_LOGIN likely has access to secrets"
74- else
75- echo "User $USER_LOGIN likely does not have access to secrets"
76- fi
77-
78-
7924 - uses : actions/checkout@v4
8025
8126 - name : Delete old comments
82- if : steps.check-secrets-access.outputs.has_secrets_access != 'true'
8327 env :
8428 GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
8529 run : |
8630 # Delete previous comment if it exists
8731 previous_comment_ids=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
88- --jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS -->")) | .id')
32+ --jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS_MANUAL -->")) | .id')
8933 echo "Previous comment IDs: $previous_comment_ids"
9034 # Iterate over each comment ID and delete the comment
9135 if [ ! -z "$previous_comment_ids" ]; then
@@ -96,14 +40,14 @@ jobs:
9640 fi
9741
9842name : Comment on PR
99- if : steps.check-secrets-access.outputs.has_secrets_access != 'true'
10043 env :
10144 GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
10245 COMMIT_SHA : ${{ github.event.pull_request.head.sha }}
10346 run : |
10447 gh pr comment ${{ github.event.pull_request.number }} --body \
105- "<!-- INTEGRATION_TESTS -->
106- Run integration tests manually:
48+ "<!-- INTEGRATION_TESTS_MANUAL -->
49+ If integration tests don't run automatically, an authorized user can run them manually
50+ by following the instructions below:
10751 [go/deco-tests-run/sdk-java](https://go/deco-tests-run/sdk-java)
10852
10953 Inputs:
0 commit comments