@W-17625835 Enhance Pull Request Workflow with Contributor Permissions Validation #76
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pull Request | |
| on: | |
| # Dangerious without Member Check setup! | |
| pull_request_target: | |
| branches: | |
| - dev | |
| jobs: | |
| static-analysis: | |
| runs-on: macos-15 | |
| steps: | |
| - name: Check Write Permissions | |
| uses: octokit/[email protected] | |
| id: check_permissions | |
| with: | |
| route: GET /repos/${{ github.repository }}/collaborators/${{ github.triggering_actor }}/permission | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Debug Permissions Response | |
| run: | | |
| echo "Permissions raw response: ${{ steps.check_permissions.outputs.data }}" | |
| - name: Validate Write Permissions | |
| run: | | |
| permission=$(echo "${{ fromJson(steps.check_permissions.outputs.data).permission }}") | |
| echo "User ${{ github.actor }} has permissions: $permissions" | |
| if [[ "$permission" != "write" && "$permission" != "admin" ]]; then | |
| echo "User ${{ github.actor }} does not have sufficient permissions (write or admin) to proceed." | |
| exit 1 | |
| fi | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| # We need a sufficient depth or Danger will occasionally run into issues checking which files were modified. | |
| fetch-depth: 100 | |
| # This is dangerous without the member check | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Install Dependencies | |
| run: | | |
| npm install [email protected] | |
| ./install.sh | |
| - name: Run Static Analysis | |
| # It would be nice to use xcbeaufity here but all the warnings and errors get annotated onto the PR, including | |
| # files not mofified in the PR which is annoying. | |
| run: | |
| xcodebuild analyze -workspace SalesforceMobileSDK.xcworkspace -scheme MobileSync -sdk 'iphonesimulator' \ | |
| CLANG_ANALYZER_OUTPUT=plist-html CLANG_ANALYZER_OUTPUT_DIR=./clangReport RUN_CLANG_STATIC_ANALYZER=YES | |
| - name: Report Static Analysis | |
| env: | |
| DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| cd .github/DangerFiles | |
| bundle update && bundle install | |
| bundle exec danger --dangerfile=StaticAnalysis.rb --danger_id=StaticAnalysis | |
| test-orchestrator: | |
| runs-on: macos-15 | |
| outputs: | |
| libs: ${{ steps.test-orchestrator.outputs.libs }} | |
| steps: | |
| - name: Check Write Permissions | |
| uses: octokit/[email protected] | |
| id: check_permissions | |
| with: | |
| route: GET /repos/${{ github.repository }}/collaborators/${{ github.triggering_actor }}/permission | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Debug Permissions Response | |
| run: | | |
| echo "Permissions raw response: ${{ steps.check_permissions.outputs.data }}" | |
| - name: Validate Write Permissions | |
| run: | | |
| permission=$(echo "${{ fromJson(steps.check_permissions.outputs.data).permission }}") | |
| echo "User ${{ github.actor }} has permissions: $permissions" | |
| if [[ "$permission" != "write" && "$permission" != "admin" ]]; then | |
| echo "User ${{ github.actor }} does not have sufficient permissions (write or admin) to proceed." | |
| exit 1 | |
| fi | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| # We need a sufficient depth or Danger will occasionally run into issues checking which files were modified. | |
| fetch-depth: 100 | |
| # This is dangerous without the member check | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Determine Tests to Run | |
| id: test-orchestrator | |
| env: | |
| DANGER_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| cd .github/DangerFiles | |
| bundle update && bundle install | |
| bundle exec danger --dangerfile=TestOrchestrator.rb | |
| ios-pr: | |
| needs: [test-orchestrator] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| lib: ${{ fromJson(needs.test-orchestrator.outputs.libs) }} | |
| uses: ./.github/workflows/reusable-workflow.yaml | |
| with: | |
| lib: ${{ matrix.lib }} | |
| secrets: inherit |