diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bfde25c679..781aa42b26 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,6 +4,7 @@ on: workflow_dispatch: merge_group: pull_request_target: + types: [opened, synchronize] branches: - main - release/v4 @@ -13,22 +14,33 @@ concurrency: cancel-in-progress: true jobs: - check-approval: - name: Check approval for external contribution + # We must first check whether it is a external contribution, before processing to checkout the code and running jobs with access to secrets + check-permissions: runs-on: 'blacksmith-8vcpu-ubuntu-2204' steps: - - name: Verify if it's external contribution - run: if [[ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]]; then echo "For security reasons, all pull requests from external forks need to be approved first before running any automated CI." && exit 1; else echo 'Skipping' && exit 0; fi - - trigger-approval: - name: 'Trigger approval for external contribution' - runs-on: 'blacksmith-8vcpu-ubuntu-2204' - environment: - name: approve_external_contribution - if: ${{ github.event.pull_request.head.repo.fork }} + - name: Get User Permission + id: checkAccess + uses: actions-cool/check-user-permission@v2 + with: + require: write + username: ${{ github.triggering_actor }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Check User Permission + if: steps.checkAccess.outputs.require-result == 'false' + run: | + echo "${{ github.triggering_actor }} does not have permissions on this repo." + echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}" + echo "Job originally triggered by ${{ github.actor }}" + exit 1 + # This is dangerous without the first access check + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} formatting-linting: - needs: [check-approval] + needs: [check-permissions] name: Formatting, linting & changeset checks runs-on: 'blacksmith-8vcpu-ubuntu-2204' timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }} @@ -95,7 +107,7 @@ jobs: retention-days: 5 unit-tests: - needs: [check-approval] + needs: [check-permissions] name: Unit Tests runs-on: 'blacksmith-8vcpu-ubuntu-2204' timeout-minutes: ${{ vars.TIMEOUT_MINUTES_NORMAL && fromJSON(vars.TIMEOUT_MINUTES_NORMAL) || 10 }} @@ -147,7 +159,7 @@ jobs: retention-days: 5 integration-tests: - needs: [check-approval] + needs: [check-permissions] name: Integration Tests runs-on: 'blacksmith-8vcpu-ubuntu-2204' timeout-minutes: ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }}