Abort if the person who triggered the CI is not a maintainer

stripe-samples · Mar 11, 2023 · 165b7c6 · 165b7c6
1 parent 2f82783
commit 165b7c6
Showing 1 changed file with 38 additions and 6 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,30 +2,52 @@ name: CI
 on:
   push:
     branches:
-      - '**'
-      - '!dependabot/**'
-  pull_request:
-    # NOTE: does not work for some reasons
-    # branches:
-    #   - 'dependabot/**'
+      - 'main'
+  pull_request_target:
 
 env:
   STRIPE_PUBLISHABLE_KEY: ${{ secrets.TEST_STRIPE_PUBLISHABLE_KEY }}
   STRIPE_SECRET_KEY: ${{ secrets.TEST_STRIPE_SECRET_KEY }}
   COMPOSE_FILE: docker-compose.yml:docker-compose.playwright.yml
+  MAINTAINERS: |
+    cecilphillip-stripe
+    charliegerard-stripe
+    cjavilla-stripe
+    dependabot[bot]
+    erinkavanaugh-stripe
+    hideokamoto-stripe
+    kevinpeters-stripe
+    paulasjes-stripe
+    thorsten-stripe
 
 concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
+  require-permission:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'check if the triggering actor is one of the maintainers'
+        run: |
+          while read item; do
+            if [[ "$item" == "${{ github.triggering_actor }}" ]]; then
+              exit # safe to run tests with write permission
+            fi
+          done <<< "$MAINTAINERS"
+
+          echo 'CI have to be re-run by one of the $MAINTAINERS' >> $GITHUB_STEP_SUMMARY
+          exit 1
+
   changed_files:
     runs-on: ubuntu-latest
+    needs: require-permission
     outputs:
       files: ${{ steps.diff.outputs.files }}
     steps:
       - uses: actions/checkout@v3
         with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
           fetch-depth: 0
 
       - name: 'Collect changed files'
@@ -96,6 +118,8 @@ jobs:
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
@@ -177,6 +201,8 @@ jobs:
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
@@ -254,6 +280,8 @@ jobs:
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
@@ -317,6 +345,8 @@ jobs:
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - name: Build
         if: ${{ steps.if_running.outputs.running }}
@@ -339,6 +369,8 @@ jobs:
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - name: Build
         if: ${{ steps.if_running.outputs.running }}