b58728dc0e
Restrict non-dev pull requests to an allowlisted set of actors and skip cross-platform PR builds unless that authorization check passes. Keep dev open for general contributions while guiding other PRs back to the dev branch.
55 lines
1.6 KiB
YAML
55 lines
1.6 KiB
YAML
name: Restrict Non-Dev PRs
|
|
|
|
on:
|
|
pull_request_target:
|
|
types:
|
|
- opened
|
|
- reopened
|
|
- synchronize
|
|
|
|
permissions:
|
|
contents: read
|
|
pull-requests: write
|
|
|
|
jobs:
|
|
restrict-non-dev-prs:
|
|
if: ${{ github.event.pull_request.base.ref != 'dev' }}
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
ALLOWED_ACTORS: ${{ vars.ALLOWED_NON_DEV_PR_ACTORS }}
|
|
ACTOR: ${{ github.actor }}
|
|
PR_NUMBER: ${{ github.event.pull_request.number }}
|
|
BASE_REF: ${{ github.event.pull_request.base.ref }}
|
|
steps:
|
|
- name: Check allowed actor
|
|
id: auth
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
normalized=",${ALLOWED_ACTORS},"
|
|
if [[ "$normalized" == *",${ACTOR},"* ]]; then
|
|
echo "authorized=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "authorized=false" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Comment on unauthorized PR
|
|
if: ${{ steps.auth.outputs.authorized != 'true' }}
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
gh pr comment "$PR_NUMBER" --body "Thanks for the contribution. PRs need to target \`dev\` branch. Please retarget this PR to the dev branch"
|
|
|
|
- name: Close unauthorized PR
|
|
if: ${{ steps.auth.outputs.authorized != 'true' }}
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
gh pr close "$PR_NUMBER"
|
|
|
|
- name: Fail unauthorized PR
|
|
if: ${{ steps.auth.outputs.authorized != 'true' }}
|
|
run: |
|
|
echo "Actor $ACTOR is not allowed to open PRs targeting $BASE_REF" >&2
|
|
exit 1
|