|
43 | 43 | provider: [providers, gitea_others] |
44 | 44 |
|
45 | 45 | env: |
| 46 | + TARGET_TEAM_SLUGS: "pipeline-as-code,pipeline-as-code-contributors" |
46 | 47 | KO_DOCKER_REPO: localhost:5000 |
47 | 48 | CONTROLLER_DOMAIN_URL: controller.paac-127-0-0-1.nip.io |
48 | 49 | TEST_GITHUB_REPO_OWNER_GITHUBAPP: openshift-pipelines/pipelines-as-code-e2e-tests |
@@ -79,35 +80,164 @@ jobs: |
79 | 80 | uses: actions/github-script@v8 |
80 | 81 | with: |
81 | 82 | script: | |
82 | | - const actor = context.payload.pull_request.user.login; |
83 | | - const org = context.repo.owner; |
84 | | -
|
85 | | - // Allow a specific list of trusted bots to bypass the permission check. |
86 | | - const trustedBots = ['dependabot[bot]']; // Add any other trusted bot accounts here |
87 | | - if (trustedBots.includes(actor)) { |
88 | | - core.info(`User @${actor} is a trusted bot, allowing.`); |
| 83 | + if (!context || !context.payload || !context.payload.pull_request) { |
| 84 | + core.setFailed('Invalid GitHub context: missing required pull_request information'); |
89 | 85 | return; |
90 | 86 | } |
91 | 87 |
|
92 | | - try { |
93 | | - // Directly check the user's permission level on the repository. |
94 | | - // This covers both org members and external collaborators with sufficient access. |
95 | | - const response = await github.rest.repos.getCollaboratorPermissionLevel({ |
96 | | - owner: org, |
97 | | - repo: context.repo.repo, |
98 | | - username: actor, |
99 | | - }); |
100 | | -
|
101 | | - const permission = response.data.permission; |
102 | | - if (permission !== 'admin' && permission !== 'write') { |
103 | | - core.setFailed(`❌ User @${actor} has only '${permission}' repository permission. 'write' or 'admin' is required.`); |
104 | | - } else { |
105 | | - core.info(`✅ User @${actor} has '${permission}' repository permission. Proceeding.`); |
| 88 | + async function run() { |
| 89 | + const actor = context.payload.pull_request.user.login; |
| 90 | + const repoOwner = context.repo.owner; |
| 91 | + const repoName = context.repo.repo; |
| 92 | + const targetOrg = context.repo.owner; |
| 93 | +
|
| 94 | + core.info(`🔍 Starting permission check for user: @${actor}`); |
| 95 | + core.info(`📋 Repository: ${repoOwner}/${repoName}`); |
| 96 | + core.info(`🏢 Target organization: ${targetOrg}`); |
| 97 | +
|
| 98 | + // Condition 1: Check if the user is a trusted bot. |
| 99 | + const trustedBots = ["dependabot[bot]", "renovate[bot]"]; |
| 100 | + core.info(`🤖 Checking if @${actor} is a trusted bot...`); |
| 101 | + core.info(` Trusted bots list: ${trustedBots.join(', ')}`); |
| 102 | +
|
| 103 | + if (trustedBots.includes(actor)) { |
| 104 | + core.info(`✅ Condition met: User @${actor} is a trusted bot. Proceeding.`); |
| 105 | + return; // Success |
| 106 | + } |
| 107 | + core.info(` ❌ User @${actor} is not a trusted bot.`); |
| 108 | +
|
| 109 | + // Condition 2: Check for public membership in the target organization. |
| 110 | + core.info(`\n👥 Condition 2: Checking organization and team membership...`); |
| 111 | + core.info( |
| 112 | + `User @${actor} is not a trusted bot. Checking for membership in '${targetOrg}'...`, |
| 113 | + ); |
| 114 | + try { |
| 115 | + // Optional: check membership in one or more org teams (set TARGET_TEAM_SLUGS as comma-separated slugs in workflow env) |
| 116 | + const teamSlugsEnv = process.env.TARGET_TEAM_SLUGS || ""; |
| 117 | + const teamSlugs = teamSlugsEnv |
| 118 | + .split(",") |
| 119 | + .map((s) => s.trim()) |
| 120 | + .filter(Boolean); |
| 121 | +
|
| 122 | + core.info(`🔧 TARGET_TEAM_SLUGS environment variable: "${teamSlugsEnv}"`); |
| 123 | + core.info(`📝 Parsed team slugs: [${teamSlugs.join(', ')}]`); |
| 124 | +
|
| 125 | + if (teamSlugs.length > 0) { |
| 126 | + core.info(`🔍 Checking team membership for ${teamSlugs.length} team(s)...`); |
| 127 | + for (const team_slug of teamSlugs) { |
| 128 | + core.info(` Checking team: ${team_slug}...`); |
| 129 | + try { |
| 130 | + const membership = await github.rest.teams.getMembershipForUserInOrg({ |
| 131 | + org: targetOrg, |
| 132 | + team_slug, |
| 133 | + username: actor, |
| 134 | + }); |
| 135 | + core.info(` API response for team '${team_slug}': ${JSON.stringify(membership.data)}`); |
| 136 | + if ( |
| 137 | + membership && |
| 138 | + membership.data && |
| 139 | + membership.data.state === "active" |
| 140 | + ) { |
| 141 | + core.info( |
| 142 | + `✅ Condition met: User @${actor} is a member of team '${team_slug}' in '${targetOrg}'. Proceeding.`, |
| 143 | + ); |
| 144 | + return; // Success |
| 145 | + } else { |
| 146 | + core.info(` ⚠️ Team membership found but state is not 'active': ${membership.data.state}`); |
| 147 | + } |
| 148 | + } catch (err) { |
| 149 | + // Not a member of this team or team doesn't exist — continue to next |
| 150 | + core.info( |
| 151 | + ` ❌ User @${actor} is not a member of team '${team_slug}' (or team not found). Error: ${err.message}`, |
| 152 | + ); |
| 153 | + } |
| 154 | + } |
| 155 | + // If we tried team checks and none matched, continue to next org membership checks |
| 156 | + core.info( |
| 157 | + `ⓘ User @${actor} is not a member of any configured teams in '${targetOrg}'. Falling back to org membership checks.`, |
| 158 | + ); |
| 159 | + } else { |
| 160 | + core.info(`ℹ️ No teams configured in TARGET_TEAM_SLUGS. Skipping team membership checks.`); |
| 161 | + } |
| 162 | + core.info(`🏢 Checking organization membership for @${actor} in '${targetOrg}'...`); |
| 163 | + try { |
| 164 | + core.info(` Attempting checkMembershipForUser API call...`); |
| 165 | + await github.rest.orgs.checkMembershipForUser({ |
| 166 | + org: targetOrg, |
| 167 | + username: actor, |
| 168 | + }); |
| 169 | + core.info( |
| 170 | + `✅ Condition met: User @${actor} is a member of '${targetOrg}'. Proceeding.`, |
| 171 | + ); |
| 172 | + return; // Success |
| 173 | + } catch (err) { |
| 174 | + // Try public membership as fallback |
| 175 | + core.info(` ❌ Private membership check failed: ${err.message}`); |
| 176 | + core.info(` Attempting checkPublicMembershipForUser API call...`); |
| 177 | + try { |
| 178 | + await github.rest.orgs.checkPublicMembershipForUser({ |
| 179 | + org: targetOrg, |
| 180 | + username: actor, |
| 181 | + }); |
| 182 | + core.info( |
| 183 | + `✅ Condition met: User @${actor} is a public member of '${targetOrg}'. Proceeding.`, |
| 184 | + ); |
| 185 | + return; // Success |
| 186 | + } catch (publicErr) { |
| 187 | + // Neither private nor public member - will be caught by outer catch |
| 188 | + core.info(` ❌ Public membership check failed: ${publicErr.message}`); |
| 189 | + throw publicErr; |
| 190 | + } |
| 191 | + } |
| 192 | + } catch (error) { |
| 193 | + // This is not a failure, just one unmet condition. Log and continue. |
| 194 | + core.info( |
| 195 | + `ⓘ User @${actor} is not a public member of '${targetOrg}'. Checking repository permissions as a fallback.`, |
| 196 | + ); |
| 197 | + } |
| 198 | +
|
| 199 | + // Condition 3: Check for write/admin permission on the repository. |
| 200 | + core.info(`\n🔐 Condition 3: Checking repository collaborator permissions...`); |
| 201 | + try { |
| 202 | + core.info(` Attempting getCollaboratorPermissionLevel API call...`); |
| 203 | + const response = await github.rest.repos.getCollaboratorPermissionLevel({ |
| 204 | + owner: repoOwner, |
| 205 | + repo: repoName, |
| 206 | + username: actor, |
| 207 | + }); |
| 208 | +
|
| 209 | + const permission = response.data.permission; |
| 210 | + core.info(` User @${actor} has '${permission}' permission on ${repoOwner}/${repoName}`); |
| 211 | +
|
| 212 | + if (permission === "admin" || permission === "write") { |
| 213 | + core.info( |
| 214 | + `✅ Condition met: User @${actor} has '${permission}' repository permission. Proceeding.`, |
| 215 | + ); |
| 216 | + return; // Success |
| 217 | + } else { |
| 218 | + // If we reach here, no conditions were met. This is the final failure. |
| 219 | + core.info(` ❌ Permission '${permission}' is insufficient (requires 'write' or 'admin')`); |
| 220 | + core.setFailed( |
| 221 | + `❌ Permission check failed. User @${actor} did not meet any required conditions (trusted bot, org member, or repo write access).`, |
| 222 | + ); |
| 223 | + return; |
| 224 | + } |
| 225 | + } catch (error) { |
| 226 | + // This error means they are not even a collaborator. |
| 227 | + core.info(` ❌ Collaborator permission check failed: ${error.message}`); |
| 228 | + core.setFailed( |
| 229 | + `❌ Permission check failed. User @${actor} is not a collaborator on this repository and did not meet other conditions.`, |
| 230 | + ); |
| 231 | + return; |
106 | 232 | } |
107 | | - } catch (error) { |
108 | | - core.setFailed(`Permission check failed for @${actor}. They are likely not a collaborator on the repository. Error: ${error.message}`); |
109 | 233 | } |
110 | 234 |
|
| 235 | + run().catch(err => { |
| 236 | + core.error(`💥 Unexpected error during permission check: ${err.message}`); |
| 237 | + core.error(` Stack trace: ${err.stack}`); |
| 238 | + core.setFailed(`Unexpected error during permission check: ${err.message}`); |
| 239 | + }); |
| 240 | +
|
111 | 241 | - uses: actions/setup-go@v6 |
112 | 242 | with: |
113 | 243 | go-version-file: "go.mod" |
@@ -154,6 +284,7 @@ jobs: |
154 | 284 | TEST_GITHUB_SECOND_SMEE_URL: ${{ secrets.TEST_GITHUB_SECOND_SMEE_URL }} |
155 | 285 | TEST_GITHUB_SECOND_PRIVATE_KEY: ${{ secrets.TEST_GITHUB_SECOND_PRIVATE_KEY }} |
156 | 286 | TEST_GITHUB_SECOND_WEBHOOK_SECRET: ${{ secrets.TEST_GITHUB_SECOND_WEBHOOK_SECRET }} |
| 287 | + TEST_GITHUB_SECOND_APPLICATION_ID: ${{ vars.TEST_GITHUB_SECOND_APPLICATION_ID }} |
157 | 288 | run: | |
158 | 289 | ./hack/gh-workflow-ci.sh create_second_github_app_controller_on_ghe |
159 | 290 |
|
@@ -211,7 +342,7 @@ jobs: |
211 | 342 |
|
212 | 343 | - name: Upload artifacts |
213 | 344 | if: ${{ always() }} |
214 | | - uses: actions/upload-artifact@v4 |
| 345 | + uses: actions/upload-artifact@v5 |
215 | 346 | with: |
216 | 347 | name: logs-e2e-tests-${{ matrix.provider }} |
217 | 348 | path: /tmp/logs |
|
0 commit comments