11name : Automatically create and cleanup Turso DB branches for each PR
22
33on :
4- pull_request :
4+ pull_request_target :
55 types :
66 - opened
77 - reopened
@@ -16,11 +16,27 @@ jobs:
1616 permissions :
1717 contents : read
1818 steps :
19+ - name : Get user permissions
20+ id : permissions
21+ uses : actions-cool/check-user-permission@v2
22+ with :
23+ require : write
24+ username : ${{ github.triggering_actor }}
25+ env :
26+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
27+ - name : Check user permissions
28+ if : steps.permissions.outputs.require-result == 'false'
29+ run : |
30+ echo "${{ github.triggering_actor }} does not have permissions on this repo."
31+ echo "A user with write permissions should very carefully check the diff of this PR and then re-run the workflow if it is safe"
32+ exit 1
1933name : Get branch name
2034 id : branch_name
2135 uses : tj-actions/branch-names@v8
2236 - name : Checkout
2337 uses : actions/checkout@v4
38+ with :
39+ ref : ${{ github.event.pull_request.head.sha }} # This is dangerous without the first access check
2440 - name : Generate branched DB ID
2541 id : branch_db_id
2642 uses : actions/github-script@v7
6278 fi
6379 fi
6480
65- echo $RESPONSE
6681 HOSTNAME=$(echo $RESPONSE | jq -r '.database.Hostname')
6782 if [ -z "$HOSTNAME" ]; then
6883 echo "Hostname not found in response"
7287 echo "hostname=$HOSTNAME" >> $GITHUB_OUTPUT
7388name : Checkout
7489 uses : actions/checkout@v4
90+ with :
91+ ref : ${{ github.event.pull_request.head.sha }} # This is dangerous without the first access check
7592 - name : Run migrations
7693 env :
7794 DATABASE_URL : " libsql://${{ steps.create_db_branch.hostname }}"
93110 - name : Checkout
94111 if : github.event.pull_request.merged == true
95112 uses : actions/checkout@v4
113+ with :
114+ ref : ${{ github.event.pull_request.head.sha }} # This is dangerous without the first access check
96115 - name : Apply migrations to production
97116 if : github.event.pull_request.merged == true
98117 env :
0 commit comments