From d9f783ba209227615cc8f8faefc46a934ae75a2f Mon Sep 17 00:00:00 2001
From: Toni Rico <toni.rico.diez@revenuecat.com>
Date: Fri, 19 Jul 2024 10:40:58 +0200
Subject: [PATCH] Fix workflow permission check logic (#4084)

### Description
This improves the permission checking logic for running github actions.
We also have it setup to only run actions by organization members, but
this acts as an additional check.

---------

Co-authored-by: Andy Boedo <andresboedo@gmail.com>
---
 .github/workflows/trigger_all_tests.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/trigger_all_tests.yml b/.github/workflows/trigger_all_tests.yml
index 89a9cf462f..2c76babb2c 100644
--- a/.github/workflows/trigger_all_tests.yml
+++ b/.github/workflows/trigger_all_tests.yml
@@ -9,15 +9,18 @@ jobs:
     runs-on: ubuntu-latest
     if: |
       ${{ github.event.issue.pull_request }} &&
-      github.event.comment.body == '@RCGitBot please test'
+      github.event.comment.body == '@RCGitBot please test' &&
+      github.repository == 'RevenueCat/purchases-ios'
 
     steps:
       - name: Check membership in RevenueCat Org
+        env:
+          READ_ORG_GITHUB_TOKEN: ${{ secrets.READ_ORG_GITHUB_TOKEN }}
         id: verify
         # ensure that only RevenueCat members can trigger this
         run: |
-          RESPONSE=$(curl https://api.github.com/orgs/RevenueCat/members/${{ github.event.comment.user.login }})
-          if [[ "$RESPONSE" == *"Not Found"* ]]; then
+          RESPONSE=$(curl -s -o /dev/null --head -w "%{http_code}" -H "Authorization: Bearer $READ_ORG_GITHUB_TOKEN" https://api.github.com/orgs/RevenueCat/members/${{ github.event.comment.user.login }})
+          if [[ "$RESPONSE" != "204" ]]; then
             echo "User is not a member of the organization"
             exit 1
           fi