From 6c646e453d5e2cbb3790c7c66d93a5c4e6908a27 Mon Sep 17 00:00:00 2001
From: Chmouel Boudjnah <chmouel@redhat.com>
Date: Fri, 10 Oct 2025 20:25:06 +0200
Subject: [PATCH] chore: Allow org members to trigger E2E workflow

The permission check script in the E2E workflow was updated. It now
verifies if the pull request author is a public member of the
`openshift-pipelines` organization.

This check is performed in addition to the existing checks for trusted
bots and collaborators with repository write access. This allows
organization members to run E2E tests on their pull requests without
requiring direct write permissions on the repository.

Additionally, `renovate[bot]` was added to the list of trusted bots.

Co-authored-by: Gemini <gemini@google.com>
Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>
---
 .github/workflows/e2e.yaml | 74 +++++++++++++++++++++++++-------------
 1 file changed, 49 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index be93c098cb..1ebabd0364 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -79,35 +79,59 @@ jobs:
         uses: actions/github-script@v8
         with:
           script: |
-            const actor = context.payload.pull_request.user.login;
-            const org = context.repo.owner;
-
-            // Allow a specific list of trusted bots to bypass the permission check.
-            const trustedBots = ['dependabot[bot]']; // Add any other trusted bot accounts here
-            if (trustedBots.includes(actor)) {
-              core.info(`User @${actor} is a trusted bot, allowing.`);
-              return;
-            }
+            const context = github.context;
+
+            async function run() {
+              const actor = context.payload.pull_request.user.login;
+              const repoOwner = context.repo.owner;
+              const repoName = context.repo.repo;
+              const targetOrg = 'openshift-pipelines';
+
+              // Condition 1: Check if the user is a trusted bot.
+              const trustedBots = ['dependabot[bot]', 'renovate[bot]'];
+              if (trustedBots.includes(actor)) {
+                core.info(`✅ Condition met: User @${actor} is a trusted bot. Proceeding.`);
+                return; // Success
+              }
 
-            try {
-              // Directly check the user's permission level on the repository.
-              // This covers both org members and external collaborators with sufficient access.
-              const response = await github.rest.repos.getCollaboratorPermissionLevel({
-                owner: org,
-                repo: context.repo.repo,
-                username: actor,
-              });
-
-              const permission = response.data.permission;
-              if (permission !== 'admin' && permission !== 'write') {
-                core.setFailed(`❌ User @${actor} has only '${permission}' repository permission. 'write' or 'admin' is required.`);
-              } else {
-                core.info(`✅ User @${actor} has '${permission}' repository permission. Proceeding.`);
+              // Condition 2: Check for public membership in the target organization.
+              core.info(`User @${actor} is not a trusted bot. Checking for membership in '${targetOrg}'...`);
+              try {
+                await github.rest.orgs.checkMembershipForUser({
+                  org: targetOrg,
+                  username: actor,
+                });
+                core.info(`✅ Condition met: User @${actor} is a public member of '${targetOrg}'. Proceeding.`);
+                return; // Success
+              } catch (error) {
+                // This is not a failure, just one unmet condition. Log and continue.
+                core.info(`ⓘ User @${actor} is not a public member of '${targetOrg}'. Checking repository permissions as a fallback.`);
+              }
+
+              // Condition 3: Check for write/admin permission on the repository.
+              try {
+                const response = await github.rest.repos.getCollaboratorPermissionLevel({
+                  owner: repoOwner,
+                  repo: repoName,
+                  username: actor,
+                });
+
+                const permission = response.data.permission;
+                if (permission === 'admin' || permission === 'write') {
+                  core.info(`✅ Condition met: User @${actor} has '${permission}' repository permission. Proceeding.`);
+                  return; // Success
+                } else {
+                  // If we reach here, no conditions were met. This is the final failure.
+                  core.setFailed(`❌ Permission check failed. User @${actor} did not meet any required conditions (trusted bot, org member, or repo write access).`);
+                }
+              } catch (error) {
+                // This error means they are not even a collaborator.
+                core.setFailed(`❌ Permission check failed. User @${actor} is not a collaborator on this repository and did not meet other conditions.`);
               }
-            } catch (error) {
-              core.setFailed(`Permission check failed for @${actor}. They are likely not a collaborator on the repository. Error: ${error.message}`);
             }
 
+            run();
+
       - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"