Skip to content

chore: Allow org members to trigger E2E workflow #2285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: Allow org members to trigger E2E workflow #2285

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 49 additions & 25 deletions .github/workflows/e2e.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,35 +79,59 @@ jobs:
uses: actions/github-script@v8
with:
script: |
const actor = context.payload.pull_request.user.login;
const org = context.repo.owner;

// Allow a specific list of trusted bots to bypass the permission check.
const trustedBots = ['dependabot[bot]']; // Add any other trusted bot accounts here
if (trustedBots.includes(actor)) {
core.info(`User @${actor} is a trusted bot, allowing.`);
return;
}
const context = github.context;

async function run() {
const actor = context.payload.pull_request.user.login;
const repoOwner = context.repo.owner;
const repoName = context.repo.repo;
const targetOrg = 'openshift-pipelines';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const targetOrg = 'openshift-pipelines';

const repoOwner = context.repo.owner;
repoOwner is also "openshift-pipelines"

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you don't need to have it hardcoded


// Condition 1: Check if the user is a trusted bot.
const trustedBots = ['dependabot[bot]', 'renovate[bot]'];
if (trustedBots.includes(actor)) {
core.info(`βœ… Condition met: User @${actor} is a trusted bot. Proceeding.`);
return; // Success
}

try {
// Directly check the user's permission level on the repository.
// This covers both org members and external collaborators with sufficient access.
const response = await github.rest.repos.getCollaboratorPermissionLevel({
owner: org,
repo: context.repo.repo,
username: actor,
});

const permission = response.data.permission;
if (permission !== 'admin' && permission !== 'write') {
core.setFailed(`❌ User @${actor} has only '${permission}' repository permission. 'write' or 'admin' is required.`);
} else {
core.info(`βœ… User @${actor} has '${permission}' repository permission. Proceeding.`);
// Condition 2: Check for public membership in the target organization.
core.info(`User @${actor} is not a trusted bot. Checking for membership in '${targetOrg}'...`);
try {
await github.rest.orgs.checkMembershipForUser({
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this checks for public and private both membership if you only wanna check public membership then three is another function for that checkPublicMembershipForUser.
Note: see this docs and search for function name "checkPublicMembershipForUser"

Copy link
Contributor

@zakisk zakisk Oct 13, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or you can use getMembershipForUserInOrg func to check permission of a user in a team for an org

github.rest.teams.getMembershipForUserInOrg({
  org,
  team_slug,
  username,
});

org: targetOrg,
username: actor,
});
core.info(`βœ… Condition met: User @${actor} is a public member of '${targetOrg}'. Proceeding.`);
return; // Success
} catch (error) {
// This is not a failure, just one unmet condition. Log and continue.
core.info(`β“˜ User @${actor} is not a public member of '${targetOrg}'. Checking repository permissions as a fallback.`);
}

// Condition 3: Check for write/admin permission on the repository.
try {
const response = await github.rest.repos.getCollaboratorPermissionLevel({
owner: repoOwner,
repo: repoName,
username: actor,
});

const permission = response.data.permission;
if (permission === 'admin' || permission === 'write') {
core.info(`βœ… Condition met: User @${actor} has '${permission}' repository permission. Proceeding.`);
return; // Success
} else {
// If we reach here, no conditions were met. This is the final failure.
core.setFailed(`❌ Permission check failed. User @${actor} did not meet any required conditions (trusted bot, org member, or repo write access).`);
}
} catch (error) {
// This error means they are not even a collaborator.
core.setFailed(`❌ Permission check failed. User @${actor} is not a collaborator on this repository and did not meet other conditions.`);
}
} catch (error) {
core.setFailed(`Permission check failed for @${actor}. They are likely not a collaborator on the repository. Error: ${error.message}`);
}

run();

- uses: actions/setup-go@v6
with:
go-version-file: "go.mod"
Expand Down