Skip to content

Commit 5e087f4

Browse files
pmalekpmalek
committed
fix: fix CI permissions 4
1 parent fb6c656 commit 5e087f4

File tree

1 file changed

+22
-21
lines changed

1 file changed

+22
-21
lines changed

.github/workflows/_permission_check.yaml

Lines changed: 22 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ on:
1212
type: string
1313

1414
jobs:
15-
check-permission:
15+
check:
1616
runs-on: ubuntu-latest
1717
steps:
1818
- name: Logging
@@ -24,34 +24,35 @@ jobs:
2424
run: |
2525
echo "github.triggering_actor ${{ github.triggering_actor }}"
2626
echo "github.actor ${{ github.actor }}"
27+
echo "inputs.pr_user_login ${{ inputs.pr_user_login }}"
2728
28-
- name: get user permission
29-
id: checkAccess
29+
- name: get whether triggering_actor (${{ github.triggering_actor }}) is a contributor
30+
id: check_triggering_actor
3031
uses: actions-cool/check-user-permission@v2
3132
with:
3233
require: write
34+
check-contributor: true
3335
username: ${{ github.triggering_actor }}
3436
env:
3537
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3638

37-
- name: check user permission (non-PR)
38-
if: ${{ inputs.pr_user_login }} == '' && steps.checkAccess.outputs.require-result == 'false'
39-
run: |
40-
echo "${{ github.triggering_actor }} does not have permissions on this repo."
41-
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
42-
echo "Job originally triggered by ${{ github.actor }}"
43-
exit 1
44-
45-
- name: check user permission
39+
- name: Check permissions
40+
# If
41+
# - this is triggered by a PR (send by someone else than dependabot or renovate), and
42+
# - PR author association is neither 'COLLABORATOR' nor 'OWNER', and
43+
# - triggering actor is not a contributor, then exit with an error.
4644
if: |
47-
!(
48-
(${{ inputs.pr_user_login }} == 'dependabot[bot]' && github.triggering_actor != 'dependabot[bot]') ||
49-
(${{ inputs.pr_user_login }} == 'renovate[bot]' && github.triggering_actor != 'renovate[bot]')
50-
)
51-
&&
52-
steps.checkAccess.outputs.require-result == 'false'
45+
inputs.pr_user_login != '' &&
46+
inputs.pr_user_login != 'dependabot[bot]' &&
47+
inputs.pr_user_login != 'renovate[bot]' &&
48+
github.event.pull_request.author_association != 'COLLABORATOR' &&
49+
github.event.pull_request.author_association != 'OWNER' &&
50+
steps.check_triggering_actor.outputs.check-result == 'false'
5351
run: |
54-
echo "${{ github.triggering_actor }} does not have permissions on this repo."
55-
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
56-
echo "Job originally triggered by ${{ github.actor }}"
52+
echo "${{ inputs.pr_user_login }} (original PR submitter) does not have permissions on this repo."
53+
echo "The CI needs to be retriggered by collaborator or an owner."
54+
echo "Contributor check-result for triggering_actor: ${{ github.triggering_actor }} is ${{ steps.check_triggering_actor.outputs.check-result }}"
55+
echo "Current permission level for triggering_actor: ${{ github.triggering_actor }} is ${{ steps.check_triggering_actor.outputs.require-result }}"
56+
echo "PR author association is ${{ github.event.pull_request.author_association }}"
5757
exit 1
58+

0 commit comments

Comments
 (0)