ci: check permissions of triggering actor before running PR checks (#…

…1485) * ci: check permissions of triggering actor before running PR checks * remove maybe unnecessary lines * ci: use on: pull_request_target instead to be able to work with forks * chore: remove unused dependabot section
momentohq · Jan 8, 2025 · bffc8eb · bffc8eb
1 parent e32737b
commit bffc8eb
Showing 1 changed file with 22 additions and 35 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -1,14 +1,31 @@
 name: Build
 
 on:
-  pull_request:
+  pull_request_target:
     branches: [main]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
+  verify-user-permissions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.triggering_actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Job originally triggered by ${{ github.actor }}"
+          exit 1
+
   verify:
     runs-on: ubuntu-24.04
     steps:
@@ -359,6 +376,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   cache-tests:
+    needs: verify-user-permissions
     strategy:
       matrix:
         node: [18]
@@ -384,6 +402,7 @@ jobs:
           ./scripts/build-and-test-all-packages-consistent-reads.sh
 
   test-examples:
+    needs: verify-user-permissions
     strategy:
       matrix:
         node: [16, 18, 20]
@@ -500,6 +519,7 @@ jobs:
         run: exit 1
 
   test-web-examples:
+    needs: verify-user-permissions
     strategy:
       matrix:
         node: [ 16, 18 ]
@@ -550,16 +570,13 @@ jobs:
         run: exit 1
 
   test-deno-examples:
+    needs: verify-user-permissions
     strategy:
       matrix:
         node: [ 16, 18 ]
       fail-fast: true
     name: Test Deno examples on node ${{ matrix.node }}
     runs-on: ubuntu-24.04
-    env:
-      # TODO: remove token stored as secret in favor of using a
-      # momento-local instance that can be spun up for testing
-      MOMENTO_API_KEY: ${{ secrets.ALPHA_TEST_AUTH_TOKEN }}
 
     steps:
       - name: Setup repo
@@ -657,33 +674,3 @@ jobs:
             npm i
             npm run build
           popd
-  # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#enable-auto-merge-on-a-pull-request
-  # dependabot-auto-merge:
-  #   name: Dependabot Auto Merge
-  #   permissions:
-  #     contents: write
-  #     pull-requests: write
-  #   runs-on: ubuntu-latest
-  #   # make sure we run all tests/examples and they pass before we try and auto approve/merge the dependabot prs
-  #   needs: [test-deno-examples, test-web-examples, test-examples, test, verify]
-  #   if: ${{ github.actor == 'dependabot[bot]' }}
-  #   steps:
-  #     - name: Dependabot metadata
-  #       id: metadata
-  #       uses: dependabot/fetch-metadata@v1
-  #       with:
-  #         github-token: "${{ secrets.GITHUB_TOKEN }}"
-  #     - name: Approve a PR
-  #       run: gh pr review --approve "$PR_URL"
-  #       env:
-  #         PR_URL: ${{github.event.pull_request.html_url}}
-  #         # need to have an approver first before dependabot can merge the pr, here we are using the shared
-  #         # momento github actions bot user
-  #         GH_TOKEN: ${{secrets.MOMENTO_MACHINE_USER_GITHUB_TOKEN}}
-  #     - name: Enable auto-merge for Dependabot PRs
-  #       if: ${{steps.metadata.outputs.update-type != 'version-update:semver-major'}}
-  #       run: gh pr merge --squash "$PR_URL"
-  #       env:
-  #         PR_URL: ${{github.event.pull_request.html_url}}
-  #         GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
-