ci: require repo write permissions for codebuild (#5421)

lrstewart · web-flow · commit 01ed1e79cf31 · 2025-07-15T11:08:18.000-07:00
diff --git a/.github/workflows/codebuild.yml b/.github/workflows/codebuild.yml
@@ -4,6 +4,9 @@ name: Codebuild
 on:
   push:
     branches: [main]
+  # This event can use aws credentials, but runs against upstream code instead of PR code.
+  # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#pull_request_target
+  # https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
   pull_request_target:
     branches: [main]
   merge_group:
@@ -17,22 +20,44 @@ jobs:
       id-token: write
       contents: read
     env:
-      event_name: ${{ github.event_name }}
       source_pr: pr/${{ github.event.pull_request.number }}
       source_sha: ${{ github.sha }}
+      pr_author: ${{ github.event.pull_request.user.login }}
     steps:
       - uses: actions/checkout@v4
+
+      - name: Get permissions
+        id: get_permission
+        if: github.event_name == 'pull_request_target'
+        uses: octokit/request-action@v2.x
+        with:
+          route: GET /repos/{repo}/collaborators/{author}/permission
+          repo: ${{ github.repository }}
+          author: ${{ github.event.pull_request.user.login }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Get credentials
         uses: aws-actions/configure-aws-credentials@v4.2.1
         with:
           role-to-assume: arn:aws:iam::024603541914:role/GitHubOIDCRole
           role-session-name: ${{ github.run_id }}
           aws-region: us-west-2
-      - name: Start Codebuild
+
+      - name: Start Codebuild for SHA
+        # This version runs when PRs are added to the merge queue or merged to main
+        if: github.event_name != 'pull_request_target'
+        run: ./codebuild/bin/start_codebuild.sh $source_sha
+
+      - name: Start Codebuild for PR
+        # This version runs when PRs are created or updated
+        if: github.event_name == 'pull_request_target'
         run: |
-          if [[ "$event_name" == "pull_request_target" ]]; then
-            source=$source_pr
+          permission=$(jq -r '.permission' <<< '${{ steps.get_permission.outputs.data }}')
+          echo "$pr_author has permission '$permission'".
+          if [[ "$permission" == "admin" || "$permission" == "write" ]]; then
+            ./codebuild/bin/start_codebuild.sh $source_pr
           else
-            source=$source_sha
+            echo "$pr_author does not have write permissions."
+            echo "A maintainer will need to manually run start_codebuild.sh."
           fi
-          ./codebuild/bin/start_codebuild.sh $source
