b58728dc0e
Restrict non-dev pull requests to an allowlisted set of actors and skip cross-platform PR builds unless that authorization check passes. Keep dev open for general contributions while guiding other PRs back to the dev branch.
53 lines
1.3 KiB
YAML
53 lines
1.3 KiB
YAML
name: PR Build Validation
|
|
|
|
on:
|
|
pull_request:
|
|
types:
|
|
- opened
|
|
- synchronize
|
|
- reopened
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: pr-build-${{ github.event.pull_request.number }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
authorize:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
allowed: ${{ steps.auth.outputs.allowed }}
|
|
env:
|
|
ALLOWED_ACTORS: ${{ vars.ALLOWED_NON_DEV_PR_ACTORS }}
|
|
ACTOR: ${{ github.actor }}
|
|
BASE_REF: ${{ github.event.pull_request.base.ref }}
|
|
steps:
|
|
- name: Check PR authorization
|
|
id: auth
|
|
shell: bash
|
|
run: |
|
|
set -euo pipefail
|
|
if [ "$BASE_REF" = "dev" ]; then
|
|
echo "allowed=true" >> "$GITHUB_OUTPUT"
|
|
exit 0
|
|
fi
|
|
|
|
normalized=",${ALLOWED_ACTORS},"
|
|
if [[ "$normalized" == *",${ACTOR},"* ]]; then
|
|
echo "allowed=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "allowed=false" >> "$GITHUB_OUTPUT"
|
|
echo "Skipping builds for unauthorized PR targeting $BASE_REF" >&2
|
|
fi
|
|
|
|
build:
|
|
needs: authorize
|
|
if: ${{ needs.authorize.outputs.allowed == 'true' }}
|
|
uses: ./.github/workflows/build-and-upload.yml
|
|
with:
|
|
ref: ${{ github.event.pull_request.head.sha }}
|
|
upload: false
|
|
set_versions: false
|