git-flow-automerge: Check triggering user authz for perms >= write #140
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Merge PRs labeled release to master | |
name: git-flow-automerge | |
# Controls when the workflow will run | |
on: | |
# Trigger on pull request events tagged 'release' only for the develop branch | |
pull_request: | |
branches: [ develop ] | |
types: [ labeled, closed, edited ] | |
jobs: | |
master-branch: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
ref: master | |
- name: Extract master SHA | |
run: echo "::set-output name=sha::$(git rev-parse master)" | |
id: master_branch | |
- name: Check triggering user permissions | |
id: check_user_permissions | |
uses: actions-cool/[email protected] | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
username: github.triggering_actor | |
require: write | |
outputs: | |
sha: ${{ steps.master_branch.outputs.sha }} | |
authorized: ${{ steps.check_user_permissions.outputs.require-result }} | |
automerge: | |
if: needs.master-branch.outputs.authorized == true && github.event.pull_request.merged == true && (contains(github.event.pull_request.labels.*.name, 'release') || github.event.label.name == 'release') | |
runs-on: ubuntu-latest | |
needs: master-branch | |
steps: | |
- name: Dump GitHub context | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
run: | | |
echo "$GITHUB_CONTEXT" | jq '.' | |
- name: Debug Master SHA | |
run: echo ${{ needs.master-branch.outputs.sha }} | |
- uses: actions/checkout@v3 | |
- uses: ruby/setup-ruby@v1 | |
with: | |
ruby-version: 2.6 # Not needed with a .ruby-version file | |
bundler-cache: true # runs 'bundle install' and caches installed gems automatically | |
- name: Extract Chef Version | |
run: | | |
bundle exec gem list --quiet --local --exact 'chef' | \ | |
ruby -ne 'version = gsub(/chef\s*\((?<version>.*)\)$/, %q/\k<version>/); \ | |
print "::set-output name=chef_version::#{version.chomp}"' | |
id: extract_chef_version | |
- name: Set release/chef-version branch name | |
run: | | |
echo '::set-output name=branch::release/chef-v${{ steps.extract_chef_version.outputs.chef_version }}' | |
id: chef_release | |
- uses: peterjgrainger/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
branch: ${{ steps.chef_release.outputs.branch }} | |
sha: ${{ needs.master-branch.outputs.sha }} | |
- name: git-flow-merge-action | |
uses: yanamura/git-flow-merge-action@v1 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
branch: 'develop' | |
# Can't turn off merging branch into both: develop_branch & main_branch... so hack it to just do master | |
develop_branch: ${{ steps.chef_release.outputs.branch }} | |
main_branch: 'master' |