Merge pull request #1612 from hibariya/maintainers-can-run-tests

Grant write permissions only when a maintainer triggered a CI
stripe-samples · May 25, 2023 · 7ee1421 · 7ee1421
2 parents 91ee095 + 7723987
commit 7ee1421
Showing 1 changed file with 42 additions and 12 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,30 +2,50 @@ name: CI
 on:
   push:
     branches:
-      - '**'
-      - '!dependabot/**'
-  pull_request:
-    # NOTE: does not work for some reasons
-    # branches:
-    #   - 'dependabot/**'
+      - 'main'
+  pull_request_target:
 
 env:
   STRIPE_PUBLISHABLE_KEY: ${{ secrets.TEST_STRIPE_PUBLISHABLE_KEY }}
   STRIPE_SECRET_KEY: ${{ secrets.TEST_STRIPE_SECRET_KEY }}
   COMPOSE_FILE: docker-compose.yml:docker-compose.playwright.yml
+  MAINTAINERS: |
+    cecilphillip-stripe
+    charliegerard-stripe
+    dependabot[bot]
+    erinkavanaugh-stripe
+    hideokamoto-stripe
+    kevinpeters-stripe
+    paulasjes-stripe
 
 concurrency:
-  group: ci-${{ github.ref }}
+  group: ci-${{ github.event.pull_request.head.ref || github.ref }}
   cancel-in-progress: true
 
 jobs:
+  require-permission:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'check if the triggering actor is one of the maintainers'
+        run: |
+          while read item; do
+            if [[ "$item" == "${{ github.triggering_actor }}" ]]; then
+              exit # safe to run tests with write permission
+            fi
+          done <<< "$MAINTAINERS"
+
+          echo 'CI have to be re-run by one of the $MAINTAINERS' >> $GITHUB_STEP_SUMMARY
+          exit 1
+
   changed_files:
     runs-on: ubuntu-latest
+    needs: require-permission
     outputs:
       files: ${{ steps.diff.outputs.files }}
     steps:
       - uses: actions/checkout@v3
         with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
           fetch-depth: 0
 
       - name: 'Collect changed files'
@@ -89,13 +109,15 @@ jobs:
         run: |
           prefix="${{ matrix.target.sample }}/server/${{ matrix.runtime.server_type }}"
 
-          if [[ "${{ github.ref }}" = "refs/heads/main" ]] || \
+          if [[ "${{ github.event.pull_request.head.ref || github.ref }}" = "refs/heads/main" ]] || \
             [[ $(echo "${{ needs.changed_files.outputs.files }}" | grep -E "^${prefix}") ]]
           then echo 'running=true' >> $GITHUB_OUTPUT
           fi
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
@@ -170,13 +192,15 @@ jobs:
         run: |
           prefix="${{ matrix.target.sample }}/client/${{ matrix.implementation.client_type }}"
 
-          if [[ "${{ github.ref }}" = "refs/heads/main" ]] || \
+          if [[ "${{ github.event.pull_request.head.ref || github.ref }}" = "refs/heads/main" ]] || \
             [[ $(echo "${{ needs.changed_files.outputs.files }}" | grep -E "^${prefix}") ]]
           then echo 'running=true' >> $GITHUB_OUTPUT
           fi
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
@@ -247,13 +271,15 @@ jobs:
         run: |
           prefix="${{ matrix.target.sample }}/client/${{ matrix.implementation.client_type }}"
 
-          if [[ "${{ github.ref }}" = "refs/heads/main" ]] || \
+          if [[ "${{ github.event.pull_request.head.ref || github.ref }}" = "refs/heads/main" ]] || \
             [[ $(echo "${{ needs.changed_files.outputs.files }}" | grep -E "^${prefix}") ]]
           then echo 'running=true' >> $GITHUB_OUTPUT
           fi
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
@@ -310,13 +336,15 @@ jobs:
         run: |
           prefix="custom-payment-flow/client/android-kotlin"
 
-          if [[ "${{ github.ref }}" = "refs/heads/main" ]] || \
+          if [[ "${{ github.event.pull_request.head.ref || github.ref }}" = "refs/heads/main" ]] || \
             [[ $(echo "${{ needs.changed_files.outputs.files }}" | grep -E "^${prefix}") ]]
           then echo 'running=true' >> $GITHUB_OUTPUT
           fi
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - name: Build
         if: ${{ steps.if_running.outputs.running }}
@@ -332,13 +360,15 @@ jobs:
         run: |
           prefix="custom-payment-flow/client/ios-swiftui"
 
-          if [[ "${{ github.ref }}" = "refs/heads/main" ]] || \
+          if [[ "${{ github.event.pull_request.head.ref || github.ref }}" = "refs/heads/main" ]] || \
             [[ $(echo "${{ needs.changed_files.outputs.files }}" | grep -E "^${prefix}") ]]
           then echo 'running=true' >> $GITHUB_OUTPUT
           fi
 
       - uses: actions/checkout@v3
         if: ${{ steps.if_running.outputs.running }}
+        with:
+          ref: ${{ github.event.after || github.event.pull_request.head.sha }}
 
       - name: Build
         if: ${{ steps.if_running.outputs.running }}