ci

Author: pmalek

.github/_permission_check.yaml

@@ -0,0 +1,32 @@
+# The below allows PRs from forks to access the secrets in a secure way
+# https://michaelheap.com/access-secrets-from-forks
+# NOTE: Reviewer has to check whether the code in PR does not expose secrets!
+name: permission check
+
+on:
+  workflow_call:
+
+jobs:
+  check-permission:
+    runs-on: ubuntu-latest
+    steps:
+      - name: echo
+          echo "github.triggering_actor ${{ github.triggering_actor }}"
+          echo "github.actor ${{ github.actor }}"
+
+      - name: get user permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: check user permission
+        if: github.triggering_actor != 'dependabot[bot]' && github.triggering_actor != 'renovate[bot]' && steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.triggering_actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Job originally triggered by ${{ github.actor }}"
+          exit 1

.github/check.yaml

@@ -0,0 +1,27 @@
+name: Checks
+run-name: Checks, branch:${{ github.ref_name }}, triggered by @${{ github.actor }}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.sha }}
+  cancel-in-progress: true
+
+on:
+  pull_request_target:
+    branches:
+      - '**'
+  push:
+    branches:
+      - 'main'
+    tags:
+      - '**'
+  workflow_dispatch: {}
+
+jobs:
+  check-permission:
+    uses: ./.github/workflows/_permission_check.yaml
+    secrets: inherit
+
+  checks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4