|
| 1 | +#!/usr/bin/env python3 |
| 2 | +"""Authorize a PR triage slash command from an issue_comment event. |
| 3 | +
|
| 4 | +Runs in the `authorize-command` job with only `GITHUB_TOKEN`. Confirms |
| 5 | +that both the commenter and the PR author have repository write access, |
| 6 | +posts the help reply for `/help` directly, and emits the resolved |
| 7 | +command name as a job output so the downstream worker job can gate on it. |
| 8 | +""" |
| 9 | + |
| 10 | +from __future__ import annotations |
| 11 | + |
| 12 | +import json |
| 13 | +import sys |
| 14 | +from urllib.parse import quote |
| 15 | + |
| 16 | +from common import gh, gh_json |
| 17 | +from triage_helpers import ( |
| 18 | + COMMANDS, |
| 19 | + comment_on_pr, |
| 20 | + event_payload, |
| 21 | + event_repo, |
| 22 | + parsed_command, |
| 23 | + pr_number, |
| 24 | + write_job_output, |
| 25 | +) |
| 26 | + |
| 27 | + |
| 28 | +def gh_json_or_none(args: list[str]) -> object | None: |
| 29 | + result = gh(args, check=False) |
| 30 | + if result.returncode == 0: |
| 31 | + return json.loads(result.stdout or "null") |
| 32 | + if "HTTP 404" in result.stderr or "Not Found" in result.stderr: |
| 33 | + return None |
| 34 | + raise RuntimeError(result.stderr.strip() or result.stdout.strip() or "gh api failed") |
| 35 | + |
| 36 | + |
| 37 | +def has_repo_write(login: str) -> bool: |
| 38 | + encoded_login = quote(login, safe="") |
| 39 | + data = gh_json_or_none(["api", f"repos/{event_repo()}/collaborators/{encoded_login}/permission"]) |
| 40 | + if not isinstance(data, dict): |
| 41 | + return False |
| 42 | + return data.get("permission") in {"admin", "maintain", "write"} |
| 43 | + |
| 44 | + |
| 45 | +def authorization_reason() -> str | None: |
| 46 | + payload = event_payload() |
| 47 | + comment = payload.get("comment") or {} |
| 48 | + commenter = str((comment.get("user") or {}).get("login") or "") |
| 49 | + |
| 50 | + if not has_repo_write(commenter): |
| 51 | + return ( |
| 52 | + "for security reasons, PR triage commands can only be run by users " |
| 53 | + "who have write access to this repository" |
| 54 | + ) |
| 55 | + |
| 56 | + pr = gh_json(["api", f"repos/{event_repo()}/pulls/{pr_number()}"]) |
| 57 | + author = pr["user"]["login"] |
| 58 | + if not has_repo_write(author): |
| 59 | + return ( |
| 60 | + "for security reasons, PR triage commands are only supported on PRs " |
| 61 | + "from authors who already have write access to this repository" |
| 62 | + ) |
| 63 | + return None |
| 64 | + |
| 65 | + |
| 66 | +def help_message() -> str: |
| 67 | + supported = ", ".join(f"`{command_name}`" for command_name in COMMANDS) |
| 68 | + return f"Supported PR triage commands: {supported}.\n" |
| 69 | + |
| 70 | + |
| 71 | +def main() -> int: |
| 72 | + requested, command = parsed_command() |
| 73 | + if requested != "/help" and not command: |
| 74 | + # Not a recognized PR triage command: stay silent and skip. |
| 75 | + write_job_output(allowed="false", command="") |
| 76 | + return 0 |
| 77 | + reason = authorization_reason() |
| 78 | + if reason: |
| 79 | + comment_on_pr(f"I did not run `{requested}`: {reason}.") |
| 80 | + write_job_output(allowed="false", command="") |
| 81 | + return 0 |
| 82 | + if requested == "/help": |
| 83 | + # /help is small enough to handle here; this avoids spinning up the |
| 84 | + # worker/poster pipeline (and Java/Gradle setup) for a static reply. |
| 85 | + comment_on_pr(help_message()) |
| 86 | + write_job_output(allowed="false", command="help") |
| 87 | + return 0 |
| 88 | + write_job_output(allowed="true", command=command) |
| 89 | + return 0 |
| 90 | + |
| 91 | + |
| 92 | +if __name__ == "__main__": |
| 93 | + sys.exit(main()) |
0 commit comments