Merge pull request #672 from github/lcartey/remove-acls

Remove ACLs for automated testing dispatch targets
github · Sep 11, 2024 · 1d31e3a · 1d31e3a
2 parents 6b3a593 + 88bc3da
commit 1d31e3a
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 42 deletions.
diff --git a/.github/actions/check-permissions/action.yml b/.github/actions/check-permissions/action.yml
@@ -0,0 +1,43 @@
+name: Check current actor permissions
+description: |
+  Checks whether the current actor has the specified permssions
+inputs:
+  minimum-permission:
+    description: |
+      The minimum required permission. One of: read, write, admin
+    required: true
+outputs:
+  has-permission:
+    description: "Whether the actor had the minimum required permission"
+    value: ${{ steps.check-permission.outputs.has-permission }}
+
+runs:
+  using: composite
+  steps:
+  - uses: actions/github-script@v7
+    id: check-permission
+    with:
+      script: |
+        // Valid permissions are none, read, write, admin (legacy base permissions)
+        const permissionsRanking = ["none", "read", "write", "admin"];
+
+        const minimumPermission = core.getInput('minimum-permission');
+        if (!permissionsRanking.includes(minimumPermission)) {
+          core.setFailed(`Invalid minimum permission: ${minimumPermission}`);
+          return;
+        }
+
+        const { data : { permission : actorPermission } } = await github.rest.repos.getCollaboratorPermissionLevel({
+          owner: context.repo.owner,
+          repo: context.repo.repo,
+          username: tools.context.actor
+        });
+
+        // Confirm whether the actor permission is at least the selected permission
+        const hasPermission = permissionsRanking.indexOf(minimumPermission) <= permissionsRanking.indexOf(actorPermission) ? "1" : "";
+        core.setOutput('has-permission', hasPermission);
+        if (!hasPermission) {
+          core.info(`Current actor (${tools.context.actor}) does not have the minimum required permission '${minimumPermission}' (has '${actorPermission}')`);
+        } else {
+          core.info(`Current actor (${tools.context.actor}) has the minimum required permission '${minimumPermission}' (has '${actorPermission}')`);
+        }
diff --git a/.github/workflows/dispatch-matrix-check.yml b/.github/workflows/dispatch-matrix-check.yml
@@ -11,13 +11,14 @@ jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
-      - name: Test Variables
-        shell: pwsh
-        run: |
-          Write-Host "Running as: ${{github.actor}}"
+      - name: Check permission
+        id: check-write-permission
+        uses: ./.github/actions/check-permissions
+        with:
+          minimum-permission: "write"
 
       - name: Dispatch Matrix Testing Job
-        if: ${{ contains(fromJSON('["mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill"]'), github.actor) }}
+        if: steps.check-write-permission.outputs.has-permission
         uses: peter-evans/repository-dispatch@v2
         with:
           token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
@@ -26,7 +27,7 @@ jobs:
           client-payload: '{"pr": "${{ github.event.number }}"}'
 
       - uses: actions/github-script@v6
-        if: ${{ contains(fromJSON('["mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill"]'), github.actor) }}
+        if: steps.check-write-permission.outputs.has-permission
         with:
           script: |
             github.rest.issues.createComment({

diff --git a/.github/workflows/dispatch-matrix-test-on-comment.yml b/.github/workflows/dispatch-matrix-test-on-comment.yml
@@ -3,30 +3,19 @@ name: 🤖 Run Matrix Check (On Comment)
 on:
   issue_comment:
     types: [created]
-    branches:
-      - main
-      - "rc/**"
-      - next
 
 jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
-      - name: Test Variables
-        shell: pwsh
-        run: |
-          Write-Host "Running as: ${{github.actor}}"    
-
-          $actor = "${{github.actor}}"
-
-          $acl = @("mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill") 
-
-          if(-not ($actor -in $acl)){
-            throw "Refusing to run workflow for user not in acl."
-          }
+      - name: Check permission
+        id: check-write-permission
+        uses: ./.github/actions/check-permissions
+        with:
+          minimum-permission: "write"
 
       - name: Dispatch Matrix Testing Job
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
         uses: peter-evans/repository-dispatch@v2
         with:
           token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
@@ -35,7 +24,7 @@ jobs:
           client-payload: '{"pr": "${{ github.event.issue.number }}"}'
 
       - uses: actions/github-script@v6
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }}
         with:
           script: |
             github.rest.issues.createComment({

diff --git a/.github/workflows/dispatch-release-performance-check.yml b/.github/workflows/dispatch-release-performance-check.yml
@@ -3,30 +3,19 @@ name: 🏁 Run Release Performance Check
 on:
   issue_comment:
     types: [created]
-    branches:
-      - main
-      - "rc/**"
-      - next
 
 jobs:
   dispatch-matrix-check:
     runs-on: ubuntu-22.04
     steps:
-      - name: Test Variables
-        shell: pwsh
-        run: |
-          Write-Host "Running as: ${{github.actor}}"    
-
-          $actor = "${{github.actor}}"
-
-          $acl = @("mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill") 
-
-          if(-not ($actor -in $acl)){
-            throw "Refusing to run workflow for user not in acl."
-          }
+      - name: Check permission
+        id: check-write-permission
+        uses: ./.github/actions/check-permissions
+        with:
+          minimum-permission: "write"
 
       - name: Dispatch Performance Testing Job
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
         uses: peter-evans/repository-dispatch@v2
         with:
           token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }}
@@ -35,7 +24,7 @@ jobs:
           client-payload: '{"pr": "${{ github.event.issue.number }}"}'
 
       - uses: actions/github-script@v6
-        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }}
+        if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }}
         with:
           script: |
             github.rest.issues.createComment({