|
23 | 23 | with: |
24 | 24 | fetch-depth: 0 |
25 | 25 | ref: main |
26 | | - token: ${{ secrets.PAT }} |
| 26 | + token: ${{ secrets.PAT }} |
| 27 | + |
| 28 | + - name: Check if user is authorized |
| 29 | + id: auth_check |
| 30 | + run: | |
| 31 | + merged_by="${{ github.event.pull_request.merged_by.login }}" |
| 32 | + echo "PR was merged by: $merged_by" |
| 33 | + |
| 34 | + # Get authorized users from CODEOWNERS file |
| 35 | + authorized_users=() |
| 36 | + |
| 37 | + # Read CODEOWNERS file if it exists |
| 38 | + if [[ -f ".github/CODEOWNERS" ]]; then |
| 39 | + echo "📋 Reading CODEOWNERS file..." |
| 40 | + # Extract usernames from CODEOWNERS (remove @ prefix) |
| 41 | + codeowners=$(grep -v '^#' .github/CODEOWNERS | grep -o '@[a-zA-Z0-9_-]*' | sed 's/@//' | sort -u) |
| 42 | + for user in $codeowners; do |
| 43 | + authorized_users+=("$user") |
| 44 | + echo " - CODEOWNER: $user" |
| 45 | + done |
| 46 | + else |
| 47 | + echo "⚠️ No CODEOWNERS file found" |
| 48 | + fi |
| 49 | + |
| 50 | + # Get repository collaborators with admin/maintain permissions using GitHub API |
| 51 | + echo "🔍 Checking repository permissions..." |
| 52 | + |
| 53 | + # Check if user has admin or maintain permissions |
| 54 | + user_permission=$(curl -s -H "Authorization: token ${{ secrets.PAT }}" \ |
| 55 | + -H "Accept: application/vnd.github.v3+json" \ |
| 56 | + "https://api.github.com/repos/${{ github.repository }}/collaborators/$merged_by/permission" | \ |
| 57 | + jq -r '.permission // "none"') |
| 58 | + |
| 59 | + echo "User $merged_by has permission level: $user_permission" |
| 60 | + |
| 61 | + # Check if user is authorized |
| 62 | + is_authorized=false |
| 63 | + |
| 64 | + # Check if user is in CODEOWNERS |
| 65 | + for user in "${authorized_users[@]}"; do |
| 66 | + if [[ "$user" == "$merged_by" ]]; then |
| 67 | + is_authorized=true |
| 68 | + echo "✅ User $merged_by is authorized via CODEOWNERS" |
| 69 | + break |
| 70 | + fi |
| 71 | + done |
| 72 | + |
| 73 | + # Check if user has admin or maintain permissions |
| 74 | + if [[ "$user_permission" == "admin" || "$user_permission" == "maintain" ]]; then |
| 75 | + is_authorized=true |
| 76 | + echo "✅ User $merged_by is authorized via repository permissions ($user_permission)" |
| 77 | + fi |
| 78 | + |
| 79 | + # Check if user is organization owner (for metaversecloud-com org) |
| 80 | + org_response=$(curl -s -H "Authorization: token ${{ secrets.PAT }}" \ |
| 81 | + -H "Accept: application/vnd.github.v3+json" \ |
| 82 | + "https://api.github.com/orgs/metaversecloud-com/members/$merged_by" \ |
| 83 | + -w "%{http_code}") |
| 84 | + |
| 85 | + # Extract HTTP status code from the response |
| 86 | + http_code=${org_response: -3} |
| 87 | + |
| 88 | + if [[ "$http_code" == "200" ]]; then |
| 89 | + # Check if user is an owner |
| 90 | + owner_status=$(curl -s -H "Authorization: token ${{ secrets.PAT }}" \ |
| 91 | + -H "Accept: application/vnd.github.v3+json" \ |
| 92 | + "https://api.github.com/orgs/metaversecloud-com/memberships/$merged_by" | \ |
| 93 | + jq -r '.role // "none"') |
| 94 | + |
| 95 | + if [[ "$owner_status" == "admin" ]]; then |
| 96 | + is_authorized=true |
| 97 | + echo "✅ User $merged_by is authorized as organization owner" |
| 98 | + fi |
| 99 | + fi |
| 100 | + |
| 101 | + echo "is_authorized=$is_authorized" >> $GITHUB_OUTPUT |
| 102 | + |
| 103 | + if [[ "$is_authorized" == "false" ]]; then |
| 104 | + echo "❌ User $merged_by is not authorized to trigger releases" |
| 105 | + echo "💡 Authorized users include:" |
| 106 | + echo " - CODEOWNERS: ${authorized_users[*]}" |
| 107 | + echo " - Repository admins and maintainers" |
| 108 | + echo " - Organization owners" |
| 109 | + exit 0 |
| 110 | + else |
| 111 | + echo "🎉 User $merged_by is authorized to trigger releases" |
| 112 | + fi |
27 | 113 |
|
28 | 114 | - name: Check for release labels and determine version bumps |
| 115 | + if: steps.auth_check.outputs.is_authorized == 'true' |
29 | 116 | id: check |
30 | 117 | run: | |
31 | 118 | labels='${{ toJson(github.event.pull_request.labels.*.name) }}' |
@@ -65,13 +152,13 @@ jobs: |
65 | 152 | echo "Has major: $has_major, minor: $has_minor, patch: $has_patch" |
66 | 153 |
|
67 | 154 | - name: Setup Node.js |
68 | | - if: steps.check.outputs.should_release == 'true' |
| 155 | + if: steps.auth_check.outputs.is_authorized == 'true' && steps.check.outputs.should_release == 'true' |
69 | 156 | uses: actions/setup-node@v4 |
70 | 157 | with: |
71 | 158 | node-version: 20.10 |
72 | 159 |
|
73 | 160 | - name: Calculate new version with cumulative bumps |
74 | | - if: steps.check.outputs.should_release == 'true' |
| 161 | + if: steps.auth_check.outputs.is_authorized == 'true' && steps.check.outputs.should_release == 'true' |
75 | 162 | id: version |
76 | 163 | run: | |
77 | 164 | git config --global user.email "github-actions[bot]@users.noreply.github.com" |
@@ -125,7 +212,7 @@ jobs: |
125 | 212 | echo "New version will be: v$new_version" |
126 | 213 |
|
127 | 214 | - name: Create Release |
128 | | - if: steps.check.outputs.should_release == 'true' |
| 215 | + if: steps.auth_check.outputs.is_authorized == 'true' && steps.check.outputs.should_release == 'true' |
129 | 216 | uses: softprops/action-gh-release@v2 |
130 | 217 | with: |
131 | 218 | token: ${{ secrets.PAT }} # Use PAT to trigger other workflows |
|
0 commit comments