From a465ea80dc1fc309184a5b1a750997ff0d28ddab Mon Sep 17 00:00:00 2001 From: Hector Castejon Diaz Date: Thu, 31 Oct 2024 10:34:11 +0100 Subject: [PATCH] WIP --- .github/workflows/external-message.yml | 77 ++++++++----------------- .github/workflows/integration-tests.yml | 6 +- 2 files changed, 27 insertions(+), 56 deletions(-) diff --git a/.github/workflows/external-message.yml b/.github/workflows/external-message.yml index 065f5663..3534ca09 100644 --- a/.github/workflows/external-message.yml +++ b/.github/workflows/external-message.yml @@ -11,6 +11,9 @@ on: branches: - main + pull_request: + types: [opened, synchronize] + jobs: comment-on-pr: @@ -19,65 +22,31 @@ jobs: pull-requests: write steps: - # NOTE: The following checks may not be accurate depending on Org or Repo settings. - - name: Check user and potential secret access + - uses: actions/checkout@v4 + + # If the user has a token, the integration-tests.yml workflow will write a message. Wait + # and check if the message is present. + - name: Wait for 30 seconds + run: sleep 30 + shell: bash + + - name: Check for integration tests comment id: check-secrets-access env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PR_NUMBER: ${{ github.event.pull_request.number }} run: | - USER_LOGIN="${{ github.event.pull_request.user.login }}" - REPO_OWNER="${{ github.repository_owner }}" - REPO_NAME="${{ github.event.repository.name }}" + comment_found=$(gh pr view $PR_NUMBER --json comments \ + --jq '.comments[].body | select(startswith(""))' \ + --repo ${{ github.repository }}) - echo "Pull request opened by: $USER_LOGIN" - - # Check if PR is from a fork - IS_FORK=$([[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]] && echo "true" || echo "false") - - HAS_ACCESS="false" - - # Check user's permission level on the repository - USER_PERMISSION=$(gh api repos/$REPO_OWNER/$REPO_NAME/collaborators/$USER_LOGIN/permission --jq '.permission') - - if [[ "$USER_PERMISSION" == "admin" || "$USER_PERMISSION" == "write" ]]; then - HAS_ACCESS="true" - elif [[ "$USER_PERMISSION" == "read" ]]; then - # For read access, we need to check if the user has been explicitly granted secret access - # This information is not directly available via API, so we'll make an assumption - # that read access does not imply secret access - HAS_ACCESS="false" - fi - - # Check if repo owner is an organization - IS_ORG=$(gh api users/$REPO_OWNER --jq '.type == "Organization"') - - if [[ "$IS_ORG" == "true" && "$HAS_ACCESS" == "false" ]]; then - # Check if user is a member of any team with write or admin access to the repo - TEAMS_WITH_ACCESS=$(gh api repos/$REPO_OWNER/$REPO_NAME/teams --jq '.[] | select(.permission == "push" or .permission == "admin") | .slug') - for team in $TEAMS_WITH_ACCESS; do - IS_TEAM_MEMBER=$(gh api orgs/$REPO_OWNER/teams/$team/memberships/$USER_LOGIN --silent && echo "true" || echo "false") - if [[ "$IS_TEAM_MEMBER" == "true" ]]; then - HAS_ACCESS="true" - break - fi - done - fi - - # If it's a fork, set HAS_ACCESS to false regardless of other checks - if [[ "$IS_FORK" == "true" ]]; then - HAS_ACCESS="false" - fi - - echo "has_secrets_access=$HAS_ACCESS" >> $GITHUB_OUTPUT - if [[ "$HAS_ACCESS" == "true" ]]; then - echo "User $USER_LOGIN likely has access to secrets" + if [ -n "$comment_found" ]; then + echo "has_secrets_access=true" >> $GITHUB_OUTPUT else - echo "User $USER_LOGIN likely does not have access to secrets" + echo "has_secrets_access=false" >> $GITHUB_OUTPUT fi - - - uses: actions/checkout@v4 - + # If not found, write a comment for manual execution - name: Delete old comments if: steps.check-secrets-access.outputs.has_secrets_access != 'true' env: @@ -85,7 +54,7 @@ jobs: run: | # Delete previous comment if it exists previous_comment_ids=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \ - --jq '.[] | select(.body | startswith("")) | .id') + --jq '.[] | select(.body | startswith("")) | .id') echo "Previous comment IDs: $previous_comment_ids" # Iterate over each comment ID and delete the comment if [ ! -z "$previous_comment_ids" ]; then @@ -102,7 +71,7 @@ jobs: COMMIT_SHA: ${{ github.event.pull_request.head.sha }} run: | gh pr comment ${{ github.event.pull_request.number }} --body \ - " + " Run integration tests manually: [go/deco-tests-run/sdk-java](https://go/deco-tests-run/sdk-java) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index e7dc1f1d..7035f0ff 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -20,8 +20,8 @@ jobs: echo "GITHUB_TOKEN is empty. User has no access to tokens." echo "::set-output name=has_token::false" else - echo "GITHUB_TOKEN is set. User has no access to tokens." - echo "::set-output name=has_token::true" + echo "GITHUB_TOKEN is set. User has access to tokens." + echo "::set-output name=has_token::false" fi trigger-tests: @@ -29,6 +29,8 @@ jobs: runs-on: ubuntu-latest needs: check-token if: github.event_name == 'pull_request' && needs.check-token.outputs.has_token == 'true' + needs: check-token + if: github.event_name == 'pull_request' && needs.check-token.outputs.has_token == 'true' environment: "test-trigger-is" steps: - uses: actions/checkout@v3