-
Notifications
You must be signed in to change notification settings - Fork 2.5k
68 lines (58 loc) · 1.92 KB
/
system-file-changes.yml
File metadata and controls
68 lines (58 loc) · 1.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
name: System file changes
on:
pull_request_target:
branches:
- main
paths:
- "**"
- "!**.md"
- "!api/**.json"
- "!browsers/**.json"
- "!css/**.json"
- "!html/**.json"
- "!http/**.json"
- "!javascript/**.json"
- "!manifests/**.json"
- "!mathml/**.json"
- "!mediatypes/**.json"
- "!svg/**.json"
- "!webassembly/**.json"
- "!webdriver/**.json"
- "!webextensions/**.json"
# No GITHUB_TOKEN permissions, as we don't use it.
permissions: {}
jobs:
block:
# This makes sure it only runs on our origin repo
# and makes exceptions for Dependabot and mdn-bot.
if: github.repository_owner == 'mdn' && github.event.pull_request.user.login != 'dependabot[bot]' && github.event.pull_request.user.login != 'mdn-bot'
runs-on: ubuntu-latest
steps:
- name: Block if author/actor is not admin or BCD owner
env:
ACTOR: ${{ github.actor }}
AUTHOR: ${{ github.event.pull_request.user.login }}
GH_TOKEN: ${{ secrets.ORG_PAT }}
run: |
is_admin_or_owner() {
local user="$1"
echo "Checking user: $user"
local perm
perm=$(gh api "repos/mdn/browser-compat-data/collaborators/$user/permission" --jq .permission 2> /dev/null || true)
if [ "$perm" = "admin" ]; then
return 0
fi
local state
state=$(gh api "orgs/mdn/teams/bcd-owners/memberships/$user" --jq .state 2> /dev/null || true)
if [ "$state" = "active" ]; then
return 0
fi
echo "User ($user) is not an admin, and not a BCD owner; please ping someone for a review."
exit 1
}
# Check PR author.
is_admin_or_owner "$AUTHOR"
# Check actor.
if [ "$ACTOR" != "$AUTHOR" ]; then
is_admin_or_owner "$ACTOR"
fi