Add access checks prior to checking our PRs

Ensure only users with write permissions can run CI Signed-off-by: Kyle Squizzato <[email protected]>
Mirantis · Oct 31, 2024 · 5b352c5 · 5b352c5
1 parent 992d221
commit 5b352c5
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
@@ -12,6 +12,7 @@ on:
     paths-ignore:
       - 'config/**'
       - '**.md'
+      - '.github/**'
   push:
     tags:
       - '*'
@@ -32,6 +33,22 @@ jobs:
       clustername: ${{ steps.vars.outputs.clustername }}
       pr: ${{ steps.pr.outputs.result }}
     steps:
+      - name: Get User Permissions
+        id: checkAccess
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permissions
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.triggering_actor }} does not have permissions on this repo."
+          echo "Current permission level: ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Job originally triggered by: ${{ github.actor }}"
+          echo "This job must be triggered by a user with proper permissions, if you have opened a PR and lack permissions please ask a repo collaborator to re-run this job on your behalf."
+          exit 1
       - name: Get PR ref
         uses: actions/github-script@v6
         id: pr