mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-14 17:02:56 +00:00
f2767d2056
## Problem For PRs from external contributors, we're still running `actionlint` and `neon_extra_builds` workflows (which could fail due to lack of permissions to secrets). ## Summary of changes - Extract `check-permissions` job to a separate reusable workflow - Depend all jobs from `actionlint` and `neon_extra_builds` workflows on `check-permissions`
37 lines
1.1 KiB
YAML
37 lines
1.1 KiB
YAML
name: Check Permissions
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
github-event-name:
|
|
required: true
|
|
type: string
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash -euo pipefail {0}
|
|
|
|
# No permission for GITHUB_TOKEN by default; the **minimal required** set of permissions should be granted in each job.
|
|
permissions: {}
|
|
|
|
jobs:
|
|
check-permissions:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Disallow CI runs on PRs from forks
|
|
if: |
|
|
inputs.github-event-name == 'pull_request' &&
|
|
github.event.pull_request.head.repo.full_name != github.repository
|
|
run: |
|
|
if [ "${{ contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.pull_request.author_association) }}" = "true" ]; then
|
|
MESSAGE="Please create a PR from a branch of ${GITHUB_REPOSITORY} instead of a fork"
|
|
else
|
|
MESSAGE="The PR should be reviewed and labelled with 'approved-for-ci-run' to trigger a CI run"
|
|
fi
|
|
|
|
# TODO: use actions/github-script to post this message as a PR comment
|
|
echo >&2 "We don't run CI for PRs from forks"
|
|
echo >&2 "${MESSAGE}"
|
|
|
|
exit 1
|