From c290652204672f9f6f1239d2d4561a45d6c31eac Mon Sep 17 00:00:00 2001
From: Konrad Kleine <kkleine@redhat.com>
Date: Mon, 22 Apr 2024 12:52:52 +0200
Subject: [PATCH] /retest check team membership in graphql. See #416

---
 .github/workflows/retest.yml                  | 28 +++++++++++++++++++
 .../snapshot_manager/snapshot_manager.py      |  8 ------
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/retest.yml b/.github/workflows/retest.yml
index db4a3aac..685f981c 100644
--- a/.github/workflows/retest.yml
+++ b/.github/workflows/retest.yml
@@ -32,7 +32,35 @@ jobs:
             }
             const result = await github.graphql(mutation, variables)
             console.log(result)
+  check-team-membership:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if commented is member of the required team.
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const query = `query check_if_user_is_team_member($user_login: String!, $org: String!, $team_slug: String!) {
+              organization(login: $org) {
+                team(slug: $team_slug) {
+                  members(query: $user_login) {
+                    totalCount
+                  }
+                }
+              }
+            }`;
+            const variables = {
+              "user_login": "${{github.event.comment.user.login}}",
+              "org": context.repo.owner,
+              "team_slug": "llvm-toolset-engineers"
+            }
+            const result = await github.graphql(query, variables)
+            console.log(result)
+
+            if(result['organization']['team']['members']['totalCount'] != 1) {
+              core.setFailed("User is not allowed to use the /retest command");
+            }
   get-chroots:
+    needs: check-team-membership
     if: ${{ !github.event.issue.pull_request && startsWith(github.event.comment.body, '/retest')}}
     runs-on: ubuntu-latest
     outputs:
diff --git a/snapshot_manager/snapshot_manager/snapshot_manager.py b/snapshot_manager/snapshot_manager/snapshot_manager.py
index 3397093f..e9b6a768 100755
--- a/snapshot_manager/snapshot_manager/snapshot_manager.py
+++ b/snapshot_manager/snapshot_manager/snapshot_manager.py
@@ -108,14 +108,6 @@ def retest(
             logging.info(f"Trigger comment with ID {trigger_comment_id} not found")
             return
 
-        # Get author from trigger comment to verify one is in the correct team
-        team = repo.organization.get_team_by_slug(self.config.retest_team_slug)
-        if not team.has_in_members(trigger_comment.user):
-            logging.info(
-                f"Trigger comment author '{trigger_comment.user.login}' must be a member of this team: '{self.config.retest_team_slug}'"
-            )
-            return
-
         # Check chroots
         if chroots is None or len(chroots) == 0:
             logging.info("No chroots found")