Allow approvers of the repo to run the gha

atheo89 · Oct 17, 2024 · 6888dd4 · 6888dd4
1 parent c3d9c8b
commit 6888dd4
Showing 1 changed file with 43 additions and 0 deletions.
diff --git a/.github/workflows/sync-branches-through-pr.yaml b/.github/workflows/sync-branches-through-pr.yaml
@@ -12,7 +12,40 @@ on:  # yamllint disable-line rule:truthy
         required: true
 
 jobs:
+  check-approver:
+    runs-on: ubuntu-latest
+    outputs:
+      is-approver: ${{ steps.check-approver.outputs.is-approver }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Parse OWNERS file and check approver
+        id: check-approver
+        run: |
+
+          mapfile -t approvers < <(awk '/approvers:/ {found=1; next} /reviewers:/ {found=0} found {gsub(/^[ \t]*-?[ \t]*/, ""); print}' OWNERS)
+          is_approver=false
+          # Check if $GITHUB_ACTOR is in the list of approvers
+          for approver in "${approvers[@]}"; do
+            if [[ "$GITHUB_ACTOR" == "$approver" ]]; then
+              echo "User $GITHUB_ACTOR is allowed to run the workflow."
+              is_approver=true
+              break
+            fi
+          done
+
+          # Set output based on the approver status
+          if [[ "$is_approver" == true ]]; then
+            echo "is-approver=true" >> ${GITHUB_OUTPUT}
+          else
+            echo "User $GITHUB_ACTOR is not allowed to run the workflow."
+            echo "is-approver=false" >> ${GITHUB_OUTPUT}
+          fi
+
   sync:
+    needs: check-approver
+    if: needs.check-approver.outputs.is-approver == 'true'
     permissions:
       contents: write
       pull-requests: write
@@ -45,3 +78,13 @@ jobs:
             It merges all commits from `${{ github.event.inputs.source }}` branch into `${{ github.event.inputs.target }}` branch.
 
             :warning: **IMPORTANT NOTE**: Remember to delete the `${{ steps.prepare.outputs.branch }}` branch after merging the changes.
+
+  fail-unauthorized:
+    needs: check-approver
+    if: needs.check-approver.outputs.is-approver == 'false'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Fail job for unauthorized user
+        run: |
+          echo "You are not authorized to run this workflow. Only approvers listed in OWNERS.yaml can run it."
+          exit 1