Merge branch 'dev' into dev-a

Crebs · Jan 21, 2025 · eb35090 · eb35090
2 parents 410da57 + 3aae2fb
commit eb35090
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -12,10 +12,23 @@ jobs:
     runs-on: macos-15
     steps:
       - name: Member Check
-        if: ${{ github.event.pull_request.author_association != 'MEMBER' && github.event.pull_request.author_association != 'OWNER' }}
+        uses: octokit/[email protected]
+        id: member_check
+        with:
+          route: >
+            GET /repos/${{ github.repository }}/collaborators/${{ github.triggering_actor }}/permission
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        - name: Validate Permissions
         run: |
-          echo "Pull Request not triggered by a MSDK team member.  Someone from the team needs to rerun this workflow AFTER it has been deemed safe."
-          exit 1
+          permissions=$(echo "${{ steps.member_check.outputs.data }}" | jq -r '.permission')
+          echo "Triggering actor: \
+            ${{ github.triggering_actor }} has permissions: $permissions"
+          if [[ "$permissions" != "write" && "$permissions" != "admin" ]]; then
+            echo "Pull Request not triggered by a user with sufficient permissions."
+            echo "Someone from the team needs to rerun this workflow AFTER it has been deemed safe."
+            exit 1
+          fi
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -75,4 +88,4 @@ jobs:
     uses: ./.github/workflows/reusable-workflow.yaml
     with:
       lib: ${{ matrix.lib }}
-    secrets: inherit
+    secrets: inherit