salvacybersec/CodeNomad
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(workflows): recheck non-dev PR authorization by author

Browse Source
This commit is contained in:
Shantur Rathore
2026-04-01 23:11:25 +01:00
parent df16b64a95
commit 2ffeb45a9c
3 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.github/workflows/comment-pr-artifacts.yml vendored
View File

@@ -4,6 +4,7 @@ on:
pull_request_target: pull_request_target:
types: types:
- opened - opened
- edited
- synchronize - synchronize
- reopened - reopened
- ready_for_review - ready_for_review
@@ -19,7 +20,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
env: env:
ALLOWED_ACTORS: ${{ vars.ALLOWED_NON_DEV_PR_ACTORS }} ALLOWED_ACTORS: ${{ vars.ALLOWED_NON_DEV_PR_ACTORS }}
ACTOR: ${{ github.actor }} PR_AUTHOR: ${{ github.event.pull_request.user.login }}
BASE_REF: ${{ github.event.pull_request.base.ref }} BASE_REF: ${{ github.event.pull_request.base.ref }}
IS_DRAFT: ${{ github.event.pull_request.draft }} IS_DRAFT: ${{ github.event.pull_request.draft }}
PR_NUMBER: ${{ github.event.pull_request.number }} PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -37,7 +38,7 @@ jobs:
fi fi
normalized=",${ALLOWED_ACTORS}," normalized=",${ALLOWED_ACTORS},"
if [[ "$normalized" == *",${ACTOR},"* ]]; then if [[ "$normalized" == *",${PR_AUTHOR},"* ]]; then
echo "allowed=true" >> "$GITHUB_OUTPUT" echo "allowed=true" >> "$GITHUB_OUTPUT"
else else
echo "allowed=false" >> "$GITHUB_OUTPUT" echo "allowed=false" >> "$GITHUB_OUTPUT"

7
.github/workflows/pr-build.yml vendored
View File

@@ -4,6 +4,7 @@ on:
pull_request: pull_request:
types: types:
- opened - opened
- edited
- synchronize - synchronize
- reopened - reopened
- ready_for_review - ready_for_review
@@ -23,7 +24,7 @@ jobs:
allowed: ${{ steps.auth.outputs.allowed }} allowed: ${{ steps.auth.outputs.allowed }}
env: env:
ALLOWED_ACTORS: ${{ vars.ALLOWED_NON_DEV_PR_ACTORS }} ALLOWED_ACTORS: ${{ vars.ALLOWED_NON_DEV_PR_ACTORS }}
ACTOR: ${{ github.actor }} PR_AUTHOR: ${{ github.event.pull_request.user.login }}
BASE_REF: ${{ github.event.pull_request.base.ref }} BASE_REF: ${{ github.event.pull_request.base.ref }}
steps: steps:
- name: Check PR authorization - name: Check PR authorization
@@ -37,11 +38,11 @@ jobs:
fi fi
normalized=",${ALLOWED_ACTORS}," normalized=",${ALLOWED_ACTORS},"
if [[ "$normalized" == *",${ACTOR},"* ]]; then if [[ "$normalized" == *",${PR_AUTHOR},"* ]]; then
echo "allowed=true" >> "$GITHUB_OUTPUT" echo "allowed=true" >> "$GITHUB_OUTPUT"
else else
echo "allowed=false" >> "$GITHUB_OUTPUT" echo "allowed=false" >> "$GITHUB_OUTPUT"
echo "Skipping builds for unauthorized PR targeting $BASE_REF" >&2 echo "Skipping builds for PR by unauthorized author targeting $BASE_REF" >&2
fi fi
build: build:

7
.github/workflows/restrict-non-dev-prs.yml vendored
View File

@@ -4,6 +4,7 @@ on:
pull_request_target: pull_request_target:
types: types:
- opened - opened
- edited
- reopened - reopened
- synchronize - synchronize
@@ -17,7 +18,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
env: env:
ALLOWED_ACTORS: ${{ vars.ALLOWED_NON_DEV_PR_ACTORS }} ALLOWED_ACTORS: ${{ vars.ALLOWED_NON_DEV_PR_ACTORS }}
ACTOR: ${{ github.actor }} PR_AUTHOR: ${{ github.event.pull_request.user.login }}
PR_NUMBER: ${{ github.event.pull_request.number }} PR_NUMBER: ${{ github.event.pull_request.number }}
BASE_REF: ${{ github.event.pull_request.base.ref }} BASE_REF: ${{ github.event.pull_request.base.ref }}
steps: steps:
@@ -27,7 +28,7 @@ jobs:
run: | run: |
set -euo pipefail set -euo pipefail
normalized=",${ALLOWED_ACTORS}," normalized=",${ALLOWED_ACTORS},"
if [[ "$normalized" == *",${ACTOR},"* ]]; then if [[ "$normalized" == *",${PR_AUTHOR},"* ]]; then
echo "authorized=true" >> "$GITHUB_OUTPUT" echo "authorized=true" >> "$GITHUB_OUTPUT"
else else
echo "authorized=false" >> "$GITHUB_OUTPUT" echo "authorized=false" >> "$GITHUB_OUTPUT"
@@ -50,5 +51,5 @@ jobs:
- name: Fail unauthorized PR - name: Fail unauthorized PR
if: ${{ steps.auth.outputs.authorized != 'true' }} if: ${{ steps.auth.outputs.authorized != 'true' }}
run: | run: |
echo "Actor $ACTOR is not allowed to open PRs targeting $BASE_REF" >&2 echo "PR author $PR_AUTHOR is not allowed to open PRs targeting $BASE_REF" >&2
exit 1 exit 1