feat: add a step in workflow to check user permission

zakisk · zakisk · commit f96c75a68674 · 2025-08-19T17:00:29.000+05:30
Signed-off-by: Zaki Shaikh &lt;zashaikh@redhat.com&gt;
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -72,6 +72,19 @@ jobs:
         with:
           ref: ${{ inputs.target_ref || github.event.pull_request.head.sha || github.sha }}
 
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.10'
+
+      - name: Install Python dependencies
+        run: pip install requests
+
+      # - name: Check user permission
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      #     REQUIRED_PERMISSION: "write"
+      #   run: python ./hack/check_permission.py
       - uses: actions/setup-go@v5
         with:
           go-version-file: "go.mod"
diff --git a/hack/check_permission.py b/hack/check_permission.py
@@ -0,0 +1,69 @@
+import os
+import sys
+import requests
+
+
+def check_user_permission():
+    """
+    Checks if the user who triggered the workflow has the required permission level.
+    """
+    # --- 1. Get required variables from the environment ---
+    token = os.getenv("GITHUB_TOKEN")
+    repo = os.getenv("GITHUB_REPOSITORY")
+    actor = os.getenv("GITHUB_ACTOR")
+    required_permission = os.getenv(
+        "REQUIRED_PERMISSION", "write"
+    )  # Default to 'write'
+
+    if not all([token, repo, actor]):
+        print("Error: Missing required environment variables.", file=sys.stderr)
+        sys.exit(1)
+
+    print(
+        f"Checking if user '{actor}' has '{required_permission}' permission on repo '{repo}'..."
+    )
+
+    # --- 2. Construct the API request ---
+    api_url = f"https://api.github.com/repos/{repo}/collaborators/{actor}/permission"
+    headers = {
+        "Authorization": f"Bearer {token}",
+        "Accept": "application/vnd.github.v3+json",
+    }
+
+    # --- 3. Make the API call ---
+    try:
+        response = requests.get(api_url, headers=headers)
+        response.raise_for_status()  # Raise an exception for bad status codes (4xx or 5xx)
+    except requests.exceptions.RequestException as e:
+        print(f"Error calling GitHub API: {e}", file=sys.stderr)
+        sys.exit(1)
+
+    # --- 4. Check the permission level ---
+    data = response.json()
+    user_permission = data.get("permission")
+
+    print(f"User '{actor}' has permission level: '{user_permission}'")
+
+    # The permission levels are ordered: read < write < admin
+    permission_levels = {
+        "read": 1,
+        "write": 2,
+        "admin": 3,
+    }
+
+    user_level = permission_levels.get(user_permission, 0)
+    required_level = permission_levels.get(required_permission, 2)
+
+    if user_level >= required_level:
+        print("✅ Success: User has sufficient permissions.")
+        sys.exit(0)
+    else:
+        print(
+            f"❌ Failure: User does not have the required '{required_permission}' permission.",
+            file=sys.stderr,
+        )
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    check_user_permission()
