From 9cb3960370608db7a5c6df9393c42e0fc74bcd36 Mon Sep 17 00:00:00 2001
From: Kyle Squizzato <ksquizzato@mirantis.com>
Date: Fri, 18 Oct 2024 13:53:11 -0700
Subject: [PATCH] Add access checks prior to checking our PRs

Ensure only users with write permissions can run CI

Signed-off-by: Kyle Squizzato <ksquizzato@mirantis.com>
---
 .github/workflows/build_test.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
index 526780723..fd61eaa73 100644
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -12,6 +12,7 @@ on:
     paths-ignore:
       - 'config/**'
       - '**.md'
+      - '.github/**'
   push:
     tags:
       - '*'
@@ -32,6 +33,22 @@ jobs:
       clustername: ${{ steps.vars.outputs.clustername }}
       pr: ${{ steps.pr.outputs.result }}
     steps:
+      - name: Get User Permissions
+        id: checkAccess
+        uses: actions-cool/check-user-permission@v2
+        with:
+          require: write
+          username: ${{ github.triggering_actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permissions
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.triggering_actor }} does not have permissions on this repo."
+          echo "Current permission level: ${{ steps.checkAccess.outputs.user-permission }}"
+          echo "Job originally triggered by: ${{ github.actor }}"
+          echo "This job must be triggered by a user with proper permissions, if you have opened a PR and lack permissions please ask a repo collaborator to re-run this job on your behalf."
+          exit 1
       - name: Get PR ref
         uses: actions/github-script@v6
         id: pr