From e1e812a44d0a26aae54bae168c27db9ce1598aa6 Mon Sep 17 00:00:00 2001 From: Hector Castejon Diaz Date: Tue, 29 Oct 2024 10:36:03 +0100 Subject: [PATCH] Updates --- .github/workflows/external-message.yml | 40 +++++++++++++++++++------ .github/workflows/integration-tests.yml | 21 +++++++++++-- 2 files changed, 50 insertions(+), 11 deletions(-) diff --git a/.github/workflows/external-message.yml b/.github/workflows/external-message.yml index fca26498..00887c95 100644 --- a/.github/workflows/external-message.yml +++ b/.github/workflows/external-message.yml @@ -11,6 +11,9 @@ on: branches: - main + pull_request: + types: [opened, reopened, synchronize] + jobs: @@ -18,20 +21,39 @@ jobs: runs-on: ubuntu-latest permissions: pull-requests: write + steps: - - name: Check if external contribution - id: check_fork + # NOTE: This is not 100% accurate, but it should work for most cases. + - name: Check user and potential secret access + id: check-secrets-access + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - if [ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]; then - echo "is_fork=true" >> $GITHUB_OUTPUT + # Get user info + USER_LOGIN="${{ github.event.pull_request.user.login }}" + echo "Pull request opened by: $USER_LOGIN" + + # Check if user is a collaborator + IS_COLLABORATOR=$(gh api repos/${{ github.repository }}/collaborators/$USER_LOGIN --silent && echo "true" || echo "false") + + # Check if PR is from a fork + BASE_REPO="${{ github.event.pull_request.base.repo.full_name }}" + HEAD_REPO="${{ github.event.pull_request.head.repo.full_name }}" + IS_FORK=$([[ "$BASE_REPO" != "$HEAD_REPO" ]] && echo "true" || echo "false") + + # Determine potential secret access + if [[ "$IS_COLLABORATOR" == "true" && "$IS_FORK" == "false" ]]; then + echo "has_secrets_access=true" >> $GITHUB_OUTPUT + echo "User $USER_LOGIN likely has access to secrets" else - echo "is_fork=false" >> $GITHUB_OUTPUT + echo "has_secrets_access=false" >> $GITHUB_OUTPUT + echo "User $USER_LOGIN likely does not have access to secrets" fi - uses: actions/checkout@v4 - name: Delete old comments - if: steps.check_fork.outputs.is_fork == 'true' + if: steps.check-secrets-access.outputs.has_secrets_access != 'true' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | @@ -48,7 +70,7 @@ jobs: fi - name: Comment on PR - if: steps.check_fork.outputs.is_fork == 'true' + if: steps.check-secrets-access.outputs.is_fork != 'true' env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | @@ -58,8 +80,8 @@ jobs: [go/deco-tests-run/sdk-go](https://go/deco-tests-run/sdk-go) Inputs: - PR Number:${{github.event.pull_request.number}} - Commit SHA:${{ github.event.pull_request.head.sha }} + PR number: ${{github.event.pull_request.number}} + Commit SHA: `${{ github.event.pull_request.head.sha }}` Checks will be approved automatically on success. " diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 870cccc6..8ec67398 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -9,11 +9,28 @@ on: jobs: - # Secrets are not available for forks. + check-token: + name: Check GITHUB_TOKEN + runs-on: ubuntu-latest + outputs: + has_token: ${{ steps.set-token-status.outputs.has_token }} + steps: + - name: Check if GITHUB_TOKEN is set + id: set-token-status + run: | + if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then + echo "GITHUB_TOKEN is empty." + echo "::set-output name=has_token::true" + else + echo "GITHUB_TOKEN is set." + echo "::set-output name=has_token::false" + fi + trigger-tests: - if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository name: Trigger Tests runs-on: ubuntu-latest + needs: check-token + if: github.event_name == 'pull_request' && needs.check-token.outputs.has_token == 'true' environment: "test-trigger-is" steps: