@@ -18,72 +18,15 @@ jobs:
1818 pull-requests : write
1919
2020 steps :
21- # NOTE: The following checks may not be accurate depending on Org or Repo settings.
22- - name : Check user and potential secret access
23- id : check-secrets-access
24- env :
25- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
26- run : |
27- USER_LOGIN="${{ github.event.pull_request.user.login }}"
28- REPO_OWNER="${{ github.repository_owner }}"
29- REPO_NAME="${{ github.event.repository.name }}"
30-
31- echo "Pull request opened by: $USER_LOGIN"
32-
33- # Check if PR is from a fork
34- IS_FORK=$([[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]] && echo "true" || echo "false")
35-
36- HAS_ACCESS="false"
37-
38- # Check user's permission level on the repository
39- USER_PERMISSION=$(gh api repos/$REPO_OWNER/$REPO_NAME/collaborators/$USER_LOGIN/permission --jq '.permission')
40-
41- if [[ "$USER_PERMISSION" == "admin" || "$USER_PERMISSION" == "write" ]]; then
42- HAS_ACCESS="true"
43- elif [[ "$USER_PERMISSION" == "read" ]]; then
44- # For read access, we need to check if the user has been explicitly granted secret access
45- # This information is not directly available via API, so we'll make an assumption
46- # that read access does not imply secret access
47- HAS_ACCESS="false"
48- fi
49-
50- # Check if repo owner is an organization
51- IS_ORG=$(gh api users/$REPO_OWNER --jq '.type == "Organization"')
52-
53- if [[ "$IS_ORG" == "true" && "$HAS_ACCESS" == "false" ]]; then
54- # Check if user is a member of any team with write or admin access to the repo
55- TEAMS_WITH_ACCESS=$(gh api repos/$REPO_OWNER/$REPO_NAME/teams --jq '.[] | select(.permission == "push" or .permission == "admin") | .slug')
56- for team in $TEAMS_WITH_ACCESS; do
57- IS_TEAM_MEMBER=$(gh api orgs/$REPO_OWNER/teams/$team/memberships/$USER_LOGIN --silent && echo "true" || echo "false")
58- if [[ "$IS_TEAM_MEMBER" == "true" ]]; then
59- HAS_ACCESS="true"
60- break
61- fi
62- done
63- fi
64-
65- # If it's a fork, set HAS_ACCESS to false regardless of other checks
66- if [[ "$IS_FORK" == "true" ]]; then
67- HAS_ACCESS="false"
68- fi
69-
70- echo "has_secrets_access=$HAS_ACCESS" >> $GITHUB_OUTPUT
71- if [[ "$HAS_ACCESS" == "true" ]]; then
72- echo "User $USER_LOGIN likely has access to secrets"
73- else
74- echo "User $USER_LOGIN likely does not have access to secrets"
75- fi
76-
7721 - uses : actions/checkout@v4
7822
7923 - name : Delete old comments
80- if : steps.check-secrets-access.outputs.has_secrets_access != 'true'
8124 env :
8225 GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
8326 run : |
8427 # Delete previous comment if it exists
8528 previous_comment_ids=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
86- --jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS -->")) | .id')
29+ --jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS_MANUAL -->")) | .id')
8730 echo "Previous comment IDs: $previous_comment_ids"
8831 # Iterate over each comment ID and delete the comment
8932 if [ ! -z "$previous_comment_ids" ]; then
@@ -94,14 +37,15 @@ jobs:
9437 fi
9538
9639name : Comment on PR
97- if : steps.check-secrets-access.outputs.has_secrets_access != 'true'
9840 env :
9941 GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
10042 COMMIT_SHA : ${{ github.event.pull_request.head.sha }}
10143 run : |
10244 gh pr comment ${{ github.event.pull_request.number }} --body \
103- "<!-- INTEGRATION_TESTS -->
104- Run integration tests manually:
45+ "<!-- INTEGRATION_TESTS_MANUAL -->
46+ If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:
47+
48+ Trigger:
10549 [go/deco-tests-run/vscode](https://go/deco-tests-run/vscode)
10650
10751 Inputs:
0 commit comments