ci: add user permissions test for PR triggered tests

sclorg · Oct 2, 2024 · a827754 · a827754
1 parent 247adf0
commit a827754
Showing 1 changed file with 49 additions and 4 deletions.
diff --git a/.github/workflows/base-test-pr-trigger.yml b/.github/workflows/base-test-pr-trigger.yml
@@ -1,15 +1,60 @@
-on: pull_request_target
+# Inspired by https://github.com/osbuild/bootc-image-builder/blob/031df2b115743a87b6684d4894f3d1730afefc98/.github/workflows/testingfarm.yml
+name: Testing farm PR triggered tests
+
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+
+# To use testing farm we need the TF_API_KEY secret available inside the
+# forked repo which requires the pull_request_target trigger. To protect
+# the secrets we need to make sure only people with repo write access
+# can trigger this workflow. This means that ouside contributors will
+# get an initial failure when the workflow is run. But once someone from
+# the team re-triggers it it will work.
+#
+# Note that "pull_requqest_target" events are always triggered even
+# when the "Fork pull request workflows from outside collaborators"
+# setting is restricted to "Require approval for all outside collaborators"
+# (see https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks)
+#
+# Note also that this precautions might be overkill because a fork
+# cannot modify this workflow and all we do is run a branch inside
+# testing farm. But a) the scope of workflow may expand over time
+# b) it feels safer this way and is not a big burden in practise.
+#
+# This follows https://michaelheap.com/access-secrets-from-forks/
 jobs:
-  container-tests:
-    runs-on: ubuntu-22.04
+  testingfarm:
     name: "Smoke test for tfaga - pull_request_target"
+    runs-on: ubuntu-latest
+
     permissions:
       contents: read
       pull-requests: write
       statuses: write
+
     steps:
-      - name: Checkout repo
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.triggering_actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Job originally triggered by ${{ github.actor }}"
+          exit 1
+
+      - name: Check out code
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Run the tests
         uses: ./