Validate Cirrus-CI Repository settings in PRs

There's a critical little "slider" on the webpage that's somewhat difficult to tell if it's enabled or not. Make a somewhat weak attempt to catch if it's state ever changes. This is better than not checking at all. Signed-off-by: Chris Evich <[email protected]>
containers · Sep 19, 2023 · e53f780 · e53f780
1 parent 96f616e
commit e53f780
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/ci/validate.sh b/ci/validate.sh
@@ -13,14 +13,24 @@ REPO_DIRPATH=$(realpath "$SCRIPT_DIRPATH/../")
 # shellcheck source=./lib.sh
 source "$REPO_DIRPATH/lib.sh"
 
-req_env_vars CIRRUS_PR CIRRUS_BASE_SHA CIRRUS_PR_TITLE
+req_env_vars CIRRUS_PR CIRRUS_BASE_SHA CIRRUS_PR_TITLE CIRRUS_USER_PERMISSION
 
 show_env_vars
 
 # die() will add a reference to this file and line number.
 [[ "$CIRRUS_CI" == "true" ]] || \
   die "This script is only/ever intended to be run by Cirrus-CI."
 
+# This is imperfect security-wise, but attempt to catch an accidental
+# change in Cirrus-CI Repository settings.  Namely the hard-to-read
+# "slider" that enables non-contributors to run jobs.  We don't want
+# that on this repo, ever. because there are sensitive secrets in use.
+# This variable is set by CI and validated non-empty above
+# shellcheck disable=SC2154
+if [[ "$CIRRUS_USER_PERMISSION" != "write" ]] && [[ "$CIRRUS_USER_PERMISSION" != "admin" ]]; then
+  die "CI Execution not supported with permission level '$CIRRUS_USER_PERMISSION'"
+fi
+
 for target in image_builder/gce.json base_images/cloud.json \
               cache_images/cloud.json win_images/win-server-wsl.json; do
   if ! make $target; then