Skip to content

git-flow-automerge: Check triggering user authz for perms >= write #140

git-flow-automerge: Check triggering user authz for perms >= write

git-flow-automerge: Check triggering user authz for perms >= write #140

# Merge PRs labeled release to master
name: git-flow-automerge
# Controls when the workflow will run
on:
# Trigger on pull request events tagged 'release' only for the develop branch
pull_request:
branches: [ develop ]
types: [ labeled, closed, edited ]
jobs:
master-branch:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
ref: master
- name: Extract master SHA
run: echo "::set-output name=sha::$(git rev-parse master)"
id: master_branch
- name: Check triggering user permissions
id: check_user_permissions
uses: actions-cool/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
username: github.triggering_actor
require: write
outputs:
sha: ${{ steps.master_branch.outputs.sha }}
authorized: ${{ steps.check_user_permissions.outputs.require-result }}
automerge:
if: needs.master-branch.outputs.authorized == true && github.event.pull_request.merged == true && (contains(github.event.pull_request.labels.*.name, 'release') || github.event.label.name == 'release')
runs-on: ubuntu-latest
needs: master-branch
steps:
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: |
echo "$GITHUB_CONTEXT" | jq '.'
- name: Debug Master SHA
run: echo ${{ needs.master-branch.outputs.sha }}
- uses: actions/checkout@v3
- uses: ruby/setup-ruby@v1
with:
ruby-version: 2.6 # Not needed with a .ruby-version file
bundler-cache: true # runs 'bundle install' and caches installed gems automatically
- name: Extract Chef Version
run: |
bundle exec gem list --quiet --local --exact 'chef' | \
ruby -ne 'version = gsub(/chef\s*\((?<version>.*)\)$/, %q/\k<version>/); \
print "::set-output name=chef_version::#{version.chomp}"'
id: extract_chef_version
- name: Set release/chef-version branch name
run: |
echo '::set-output name=branch::release/chef-v${{ steps.extract_chef_version.outputs.chef_version }}'
id: chef_release
- uses: peterjgrainger/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
branch: ${{ steps.chef_release.outputs.branch }}
sha: ${{ needs.master-branch.outputs.sha }}
- name: git-flow-merge-action
uses: yanamura/git-flow-merge-action@v1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
branch: 'develop'
# Can't turn off merging branch into both: develop_branch & main_branch... so hack it to just do master
develop_branch: ${{ steps.chef_release.outputs.branch }}
main_branch: 'master'