@@ -39,6 +39,7 @@ concurrency:
3939jobs :
4040 permissions-check :
4141 name : Check Permissions
42+ if : ${{ github.event_name != 'repository_dispatch' }}
4243 runs-on : ' blacksmith-8vcpu-ubuntu-2204'
4344 steps :
4445 - name : Check org membership
@@ -70,12 +71,35 @@ jobs:
7071validate-instances :
7172 name : Validate Staging Instances
7273 needs : [permissions-check]
74+ if : ${{ always() && (needs.permissions-check.result == 'success' || needs.permissions-check.result == 'skipped') }}
7375 runs-on : ' blacksmith-8vcpu-ubuntu-2204'
7476 steps :
77+ - name : Normalize inputs
78+ id : inputs
79+ env :
80+ EVENT_NAME : ${{ github.event_name }}
81+ INPUT_REF : ${{ github.event.inputs.ref }}
82+ PAYLOAD_REF : ${{ github.event.client_payload.ref }}
83+ run : |
84+ if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
85+ echo "ref=${INPUT_REF:-main}" >> $GITHUB_OUTPUT
86+ else
87+ echo "ref=${PAYLOAD_REF:-main}" >> $GITHUB_OUTPUT
88+ fi
89+
90+ name : Validate ref
91+ env :
92+ REF : ${{ steps.inputs.outputs.ref }}
93+ run : |
94+ if [[ ! "$REF" =~ ^(main|release/.*)$ ]]; then
95+ echo "::error::Ref '$REF' is not allowed. Only 'main' and 'release/*' branches are permitted."
96+ exit 1
97+ fi
98+
7599name : Checkout Repo
76100 uses : actions/checkout@v4
77101 with :
78- ref : ${{ github.event. inputs.ref || github.event.client_payload. ref || 'main' }}
102+ ref : ${{ steps. inputs.outputs. ref }}
79103 sparse-checkout : scripts/validate-staging-instances.mjs
80104 fetch-depth : 1
81105
88112 integration-tests :
89113 name : Integration Tests (${{ matrix.test-name }}, ${{ matrix.test-project }})
90114 needs : [permissions-check]
115+ if : ${{ always() && (needs.permissions-check.result == 'success' || needs.permissions-check.result == 'skipped') }}
91116 runs-on : ' blacksmith-8vcpu-ubuntu-2204'
92117 defaults :
93118 run :
0 commit comments