Require environment rule to run CI steps

clerk · Dec 2, 2024 · 8a03c9a · 8a03c9a
1 parent bf8e185
commit 8a03c9a
Showing 1 changed file with 20 additions and 25 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,7 +13,19 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  approve:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Approve external contribution
+      run: echo For security reasons, all pull requests need to be approved first before running any automated CI.
+      if: ${{ github.event.pull_request.head.repo.fork }}
+
   formatting-linting:
+    needs: [approve]
+    environment:
+      name: Run CI for external contribution
+
     name: Formatting, linting & changeset checks
     runs-on: 'blacksmith-8vcpu-ubuntu-2204'
     timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }}
@@ -80,6 +92,10 @@ jobs:
           retention-days: 5
 
   unit-tests:
+    needs: [approve]
+    environment:
+      name: Run CI for external contribution
+
     name: Unit Tests
     runs-on: 'blacksmith-8vcpu-ubuntu-2204'
     timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }}
@@ -131,6 +147,10 @@ jobs:
           retention-days: 5
 
   integration-tests:
+    needs: [approve]
+    environment:
+      name: Run CI for external contribution
+
     name: Integration Tests
     runs-on: 'blacksmith-8vcpu-ubuntu-2204'
     timeout-minutes: ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }}
@@ -152,31 +172,6 @@ jobs:
             next-version: '15'
 
     steps:
-      # Skip integration tests from fork PRs to prevent secret exfiltration
-      - name: Get User Permission
-        id: checkAccess
-        uses: actions-cool/check-user-permission@v2
-        with:
-          require: write
-          username: ${{ github.triggering_actor }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Check User Permission
-        if: steps.checkAccess.outputs.require-result == 'false'
-        run: |
-          echo "${{ github.triggering_actor }} does not have permissions on this repo."
-          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
-          echo "Job originally triggered by ${{ github.actor }}"
-          exit 1
-
-      - name: Checkout Repo
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          show-progress: false
-          # We must first verify the user permissions before checking out PR code
-          ref: ${{ github.event.pull_request.head.sha }}
-
       - name: Setup
         id: config
         uses: ./.github/actions/init-blacksmith