Fix workflow permission check logic (#4084)

### Description This improves the permission checking logic for running github actions. We also have it setup to only run actions by organization members, but this acts as an additional check. --------- Co-authored-by: Andy Boedo <[email protected]>
RevenueCat · Jul 19, 2024 · d9f783b · d9f783b
1 parent f6cb37f
commit d9f783b
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/.github/workflows/trigger_all_tests.yml b/.github/workflows/trigger_all_tests.yml
@@ -9,15 +9,18 @@ jobs:
     runs-on: ubuntu-latest
     if: |
       ${{ github.event.issue.pull_request }} &&
-      github.event.comment.body == '@RCGitBot please test'
+      github.event.comment.body == '@RCGitBot please test' &&
+      github.repository == 'RevenueCat/purchases-ios'
 
     steps:
       - name: Check membership in RevenueCat Org
+        env:
+          READ_ORG_GITHUB_TOKEN: ${{ secrets.READ_ORG_GITHUB_TOKEN }}
         id: verify
         # ensure that only RevenueCat members can trigger this
         run: |
-          RESPONSE=$(curl https://api.github.com/orgs/RevenueCat/members/${{ github.event.comment.user.login }})
-          if [[ "$RESPONSE" == *"Not Found"* ]]; then
+          RESPONSE=$(curl -s -o /dev/null --head -w "%{http_code}" -H "Authorization: Bearer $READ_ORG_GITHUB_TOKEN" https://api.github.com/orgs/RevenueCat/members/${{ github.event.comment.user.login }})
+          if [[ "$RESPONSE" != "204" ]]; then
             echo "User is not a member of the organization"
             exit 1
           fi