feat: Add check user permission step in e2e workflow

zakisk · zakisk · commit 3823319491c0 · 2025-10-01T12:45:59.000+05:30
This commit adds a new step to the end-to-end (e2e)
workflow that checks the triggering user's repository
permissions.

The step runs a script that queries the GitHub REST
API to determine whether the user has sufficient
access (e.g., write, admin, etc.).
This verification helps enforce permission-based
controls within the CI process.

Signed-off-by: Zaki Shaikh &lt;zashaikh@redhat.com&gt;
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -31,8 +31,7 @@ jobs:
     if: >
       github.event_name == 'schedule' ||
       github.event_name == 'workflow_dispatch' ||
-      (github.event_name == 'pull_request_target' && 
-       contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR", "CONTRIBUTOR"]'), github.event.pull_request.author_association))
+      github.event_name == 'pull_request_target'
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.provider }}-${{ github.event.pull_request.number || github.ref_name }}
       cancel-in-progress: true
@@ -73,6 +72,42 @@ jobs:
         with:
           ref: ${{ inputs.target_ref || github.event.pull_request.head.sha || github.sha }}
 
+      # Step to check PR author's org membership and repo permissions.
+      # This step will fail the job if checks do not pass, skipping subsequent steps.
+      - name: Check user permissions on PRs
+        if: github.event_name == 'pull_request_target'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const actor = context.payload.pull_request.user.login;
+            const org = context.repo.owner;
+
+            // Allow a specific list of trusted bots to bypass the permission check.
+            const trustedBots = ['dependabot[bot]']; // Add any other trusted bot accounts here
+            if (trustedBots.includes(actor)) {
+              core.info(`User @${actor} is a trusted bot, allowing.`);
+              return;
+            }
+
+            try {
+              // Directly check the user's permission level on the repository.
+              // This covers both org members and external collaborators with sufficient access.
+              const response = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: org,
+                repo: context.repo.repo,
+                username: actor,
+              });
+
+              const permission = response.data.permission;
+              if (permission !== 'admin' && permission !== 'write') {
+                core.setFailed(`❌ User @${actor} has only '${permission}' repository permission. 'write' or 'admin' is required.`);
+              } else {
+                core.info(`✅ User @${actor} has '${permission}' repository permission. Proceeding.`);
+              }
+            } catch (error) {
+              core.setFailed(`Permission check failed for @${actor}. They are likely not a collaborator on the repository. Error: ${error.message}`);
+            }
+
       - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
