Skip to content

feat: Add more granular permissions based on tags #9298

feat: Add more granular permissions based on tags

feat: Add more granular permissions based on tags #9298

name: Platform Pull Requests
on:
pull_request:
types: [opened, synchronize, reopened, ready_for_review]
paths-ignore:
- docs/**
- infrastructure/**
branches-ignore:
- release-please-*
jobs:
validate-pr-title:
name: Validate Conventional Commit title
runs-on: ubuntu-latest
steps:
- name: Check PR Conventional Commit title
uses: amannn/action-semantic-pull-request@v5
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
types: | # mirrors changelog-sections in the /release-please-config.json
feat
fix
infra
ci
docs
deps
perf
refactor
test
chore
add-labels:
name: Add labels based on Conventional Commit title
runs-on: ubuntu-latest
permissions:
pull-requests: write
steps:
- name: Auto-label PR with Conventional Commit title
uses: bcoe/conventional-release-labels@v1
with:
type_labels: |
{
"feat": "feature",
"fix": "fix",
"infra": "infrastructure",
"ci": "ci-cd",
"docs": "docs",
"deps": "dependencies",
"perf": "performance",
"refactor": "refactor",
"test": "testing",
"chore": "chore"
}
ignored_types: '[]'
check-permissions:
name: Check actor permissions
runs-on: ubuntu-latest
outputs:
can-write: ${{ steps.check.outputs.require-result }}
steps:
- uses: actions-cool/check-user-permission@main
id: check
with:
require: write
docker-build-unified:
if: github.event.pull_request.draft == false
needs: check-permissions
name: Build Unified Image
uses: ./.github/workflows/.reusable-docker-build.yml
with:
ephemeral: ${{ !needs.check-permissions.outputs.can-write }}
target: oss-unified
image-name: flagsmith
docker-build-api:
if: github.event.pull_request.draft == false
needs: check-permissions
name: Build API Image
uses: ./.github/workflows/.reusable-docker-build.yml
with:
ephemeral: ${{ !needs.check-permissions.outputs.can-write }}
target: oss-api
image-name: flagsmith-api
docker-build-frontend:
if: github.event.pull_request.draft == false
needs: check-permissions
name: Build Frontend Image
uses: ./.github/workflows/.reusable-docker-build.yml
with:
ephemeral: ${{ !needs.check-permissions.outputs.can-write }}
target: oss-frontend
image-name: flagsmith-frontend
docker-build-e2e:
if: github.event.pull_request.draft == false
needs: check-permissions
name: Build E2E Image
uses: ./.github/workflows/.reusable-docker-build.yml
with:
ephemeral: ${{ !needs.check-permissions.outputs.can-write }}
file: frontend/Dockerfile.e2e
image-name: flagsmith-e2e
scan: false
docker-build-private-cloud:
if: github.event.pull_request.draft == false && needs.check-permissions.outputs.can-write
needs: check-permissions
name: Build Private Cloud Image
uses: ./.github/workflows/.reusable-docker-build.yml
with:
target: private-cloud-unified
image-name: flagsmith-private-cloud
secrets:
secrets: |
github_private_cloud_token=${{ secrets.GH_PRIVATE_ACCESS_TOKEN }}
run-e2e-tests:
needs: [docker-build-api, docker-build-e2e]
uses: ./.github/workflows/.reusable-docker-e2e-tests.yml
with:
e2e-image: ${{ needs.docker-build-e2e.outputs.image }}
api-image: ${{ needs.docker-build-api.outputs.image }}
concurrency: ${{ matrix.args.concurrency }}
tests: ${{ matrix.args.tests }}
secrets: inherit
strategy:
matrix:
args:
- tests: segment-part-1 environment
concurrency: 1
- tests: segment-part-2
concurrency: 1
- tests: segment-part-3 signup flag invite project
concurrency: 2
- tests: versioning
concurrency: 1