From 3453ae84a166c9620ded5ff0beec99dfaddc6999 Mon Sep 17 00:00:00 2001
From: Hibariya <hibariya@gmail.com>
Date: Sat, 11 Mar 2023 17:24:35 +0900
Subject: [PATCH] Abort if the person who triggered the CI is not a maintainer

---
 .github/workflows/ci.yml | 44 ++++++++++++++++++++++++++++++++++------
 1 file changed, 38 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 318e8b5da5..c5d4c8d4fe 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,30 +2,52 @@ name: CI
 on:
   push:
     branches:
-      - '**'
-      - '!dependabot/**'
-  pull_request:
-    # NOTE: does not work for some reasons
-    # branches:
-    #   - 'dependabot/**'
+      - 'main'
+  pull_request_target:
 
 env:
   STRIPE_PUBLISHABLE_KEY: ${{ secrets.TEST_STRIPE_PUBLISHABLE_KEY }}
   STRIPE_SECRET_KEY: ${{ secrets.TEST_STRIPE_SECRET_KEY }}
   COMPOSE_FILE: docker-compose.yml:docker-compose.playwright.yml
+  MAINTAINERS: |
+    cecilphillip-stripe
+    charliegerard-stripe
+    cjavilla-stripe
+    dependabot[bot]
+    erinkavanaugh-stripe
+    hideokamoto-stripe
+    kevinpeters-stripe
+    paulasjes-stripe
+    thorsten-stripe
 
 concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
+  triggered_by_maintainer:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'check if the triggering actor is one of the maintainers'
+        run: |
+          while read item; do
+            if [[ "$item" == "${{ github.triggering_actor }}" ]]; then
+              exit # has permission
+            fi
+          done <<< "$MAINTAINERS"
+
+          echo 'CI have to be re-run by one of the $MAINTAINERS' >> $GITHUB_STEP_SUMMARY
+          exit 1
+
   changed_files:
     runs-on: ubuntu-latest
+    needs: triggered_by_maintainer
     outputs:
       files: ${{ steps.diff.outputs.files }}
     steps:
       - uses: actions/checkout@v3
         with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
           fetch-depth: 0
 
       - name: 'Collect changed files'
@@ -96,6 +118,8 @@ jobs:
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
@@ -177,6 +201,8 @@ jobs:
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
@@ -254,6 +280,8 @@ jobs:
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
@@ -317,6 +345,8 @@ jobs:
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - name: Build
         if: ${{ steps.if_running.outputs.running }}
@@ -339,6 +369,8 @@ jobs:
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - name: Build
         if: ${{ steps.if_running.outputs.running }}