Skip to content

Commit f91bc07

Browse files
pmalekpmalek
committed
fix: fix CI permissions 4
1 parent fb6c656 commit f91bc07

File tree

1 file changed

+36
-20
lines changed

1 file changed

+36
-20
lines changed

.github/workflows/_permission_check.yaml

Lines changed: 36 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ on:
1212
type: string
1313

1414
jobs:
15-
check-permission:
15+
check:
1616
runs-on: ubuntu-latest
1717
steps:
1818
- name: Logging
@@ -25,33 +25,49 @@ jobs:
2525
echo "github.triggering_actor ${{ github.triggering_actor }}"
2626
echo "github.actor ${{ github.actor }}"
2727
28-
- name: get user permission
29-
id: checkAccess
28+
- run: |
29+
if [[ ! -z "${{ inputs.pr_user_login }}" ]]; then
30+
echo "USER=${{ inputs.pr_user_login }}" >> $GITHUB_ENV
31+
else
32+
echo "USER=${{ github.triggering_actor }}" >> $GITHUB_ENV
33+
fi
34+
35+
- name: get user (${{ env.USER }}) permission
36+
id: check_access
3037
uses: actions-cool/check-user-permission@v2
3138
with:
3239
require: write
33-
username: ${{ github.triggering_actor }}
40+
username: ${{ env.USER }}
3441
env:
3542
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
3643

37-
- name: check user permission (non-PR)
38-
if: ${{ inputs.pr_user_login }} == '' && steps.checkAccess.outputs.require-result == 'false'
39-
run: |
40-
echo "${{ github.triggering_actor }} does not have permissions on this repo."
41-
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
42-
echo "Job originally triggered by ${{ github.actor }}"
43-
exit 1
44+
- name: get whether triggering_actor (${{ github.triggering_actor }}) is a contributor
45+
id: check_triggering_actor
46+
uses: actions-cool/check-user-permission@v2
47+
with:
48+
require: write
49+
check-contributor: true
50+
username: ${{ github.triggering_actor }}
51+
env:
52+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
4453

45-
- name: check user permission
54+
- name: Check permissions
55+
# If
56+
# - this is triggered by a PR (send by someone else than dependabot or renovate), and
57+
# - author association is neither 'COLLABORATOR' nor 'OWNER', and
58+
# - triggering actor is not a contributor, then exit with an error.
4659
if: |
47-
!(
48-
(${{ inputs.pr_user_login }} == 'dependabot[bot]' && github.triggering_actor != 'dependabot[bot]') ||
49-
(${{ inputs.pr_user_login }} == 'renovate[bot]' && github.triggering_actor != 'renovate[bot]')
50-
)
51-
&&
52-
steps.checkAccess.outputs.require-result == 'false'
60+
inputs.pr_user_login != '' &&
61+
inputs.pr_user_login != 'dependabot[bot]' &&
62+
inputs.pr_user_login != 'renovate[bot]' &&
63+
github.event.pull_request.author_association != 'COLLABORATOR' &&
64+
github.event.pull_request.author_association != 'OWNER' &&
65+
steps.check_triggering_actor.outputs.check-result == 'false'
5366
run: |
54-
echo "${{ github.triggering_actor }} does not have permissions on this repo."
55-
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
67+
echo "${{ inputs.pr_user_login }} does not have permissions on this repo."
68+
echo "Contributor check-result for triggering_actor: ${{ github.triggering_actor }} is ${{ steps.check_triggering_actor.outputs.check-result }}"
69+
echo "Current permission level is ${{ steps.check_access.outputs.user-permission }}"
5670
echo "Job originally triggered by ${{ github.actor }}"
71+
echo "Author association is ${{ github.event.pull_request.author_association }}"
5772
exit 1
73+

0 commit comments

Comments
 (0)