File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 11name : Branch off
22
33on :
4- workflow_dispatch :
54 workflow_call :
65 outputs :
76 bump_version_pr_url :
2423 uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2524 with :
2625 ref : main
26+ # Persist the bot token so the branch/tag pushes below authenticate as
27+ # HaystackBot (a ruleset-bypass actor) instead of the default
28+ # github-actions[bot], which only has contents:read and is blocked by
29+ # the release rulesets.
30+ token : ${{ secrets.HAYSTACK_BOT_TOKEN }}
2731
2832 - name : Define all versions
2933 id : versions
Original file line number Diff line number Diff line change @@ -17,7 +17,30 @@ permissions:
1717 contents : read
1818
1919jobs :
20+ authorize :
21+ # Releasing acts as HaystackBot (a ruleset-bypass actor), so the ruleset
22+ # cannot enforce *who* started the release. Gate on the triggering user's
23+ # role instead: only maintainers/admins may run this workflow, even though
24+ # workflow_dispatch itself is available to anyone with write access.
25+ runs-on : ubuntu-slim
26+ steps :
27+ - name : Verify the triggering user may release
28+ env :
29+ GH_TOKEN : ${{ secrets.HAYSTACK_BOT_TOKEN }}
30+ ACTOR : ${{ github.triggering_actor }}
31+ run : |
32+ ROLE=$(gh api "repos/${{ github.repository }}/collaborators/${ACTOR}/permission" --jq '.role_name')
33+ echo "::notice::${ACTOR} has repository role '${ROLE}'"
34+ case "$ROLE" in
35+ admin|maintain)
36+ echo "✅ ${ACTOR} is authorized to trigger a release." ;;
37+ *)
38+ echo "::error::${ACTOR} has role '${ROLE}'. A release can only be triggered by a user with the 'maintain' or 'admin' role."
39+ exit 1 ;;
40+ esac
41+
2042 parse-validate-version :
43+ needs : ["authorize"]
2144 runs-on : ubuntu-slim
2245 outputs :
2346 version : ${{ steps.parse-validate.outputs.version }}
You can’t perform that action at this time.
0 commit comments