|
19 | 19 | check-authorization: |
20 | 20 | name: Check Authorization |
21 | 21 | runs-on: ubuntu-latest |
| 22 | + if: >- |
| 23 | + github.event_name != 'issue_comment' || |
| 24 | + (github.event.issue.pull_request && |
| 25 | + (startsWith(github.event.comment.body, '/test-functional') || |
| 26 | + startsWith(github.event.comment.body, '/retest'))) |
22 | 27 | outputs: |
23 | 28 | authorized: ${{ steps.check.outputs.authorized }} |
24 | 29 | steps: |
|
34 | 39 | if (eventName === 'push' || eventName === 'workflow_dispatch') { |
35 | 40 | authorized = true; |
36 | 41 | } else { |
| 42 | + if (eventName === 'issue_comment') { |
| 43 | + if (!context.payload.issue.pull_request) { |
| 44 | + core.setFailed('issue_comment event on a non-PR issue should have been filtered by job condition'); |
| 45 | + return; |
| 46 | + } |
| 47 | + const body = context.payload.comment.body; |
| 48 | + if (!/^\/(test-functional|retest)/.test(body)) { |
| 49 | + core.setFailed('issue_comment without trigger command should have been filtered by job condition'); |
| 50 | + return; |
| 51 | + } |
| 52 | + } |
| 53 | +
|
37 | 54 | try { |
38 | 55 | const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({ |
39 | 56 | owner: context.repo.owner, |
|
43 | 60 |
|
44 | 61 | const role = permission.permission; // admin, write, maintain, read, none |
45 | 62 | if (['admin', 'write', 'maintain'].includes(role)) { |
46 | | - if (eventName === 'pull_request_target') { |
47 | | - authorized = true; |
48 | | - } else if (eventName === 'issue_comment' && context.payload.issue.pull_request) { |
49 | | - const body = context.payload.comment.body; |
50 | | - if (/^\/(test-functional|retest)/.test(body)) { |
51 | | - authorized = true; |
52 | | - } |
53 | | - } |
| 63 | + authorized = true; |
54 | 64 | } |
55 | 65 | } catch (error) { |
56 | 66 | core.error(`Failed to check permissions for ${user}: ${error.message}`); |
|
0 commit comments