fix: Refactor GH Actions script permission checks

chmouel · claude · chmouel · commit 6f0d774b7f83 · 2025-10-23T11:17:08.000+02:00
Refactored the GitHub script used in the E2E workflow for checking pull
request submitter permissions. The logic was expanded to check for
trusted bots, organization team membership, organization membership, and
finally repository collaborator permissions, allowing for a more robust
set of conditions to permit workflow execution. Additionally, removed
legacy steps related to logging test failures and Slack reporting that
are now handled elsewhere or implicitly by the job status. The step was
also simplified to rely on the standard test runner output.

Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
Signed-off-by: Chmouel Boudjnah &lt;chmouel@redhat.com&gt;
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -43,6 +43,7 @@ jobs:
         provider: [providers, gitea_others]
 
     env:
+      TARGET_TEAM_SLUGS: "pipeline-as-code,pipeline-as-code-contributors"
       KO_DOCKER_REPO: localhost:5000
       CONTROLLER_DOMAIN_URL: controller.paac-127-0-0-1.nip.io
       TEST_GITHUB_REPO_OWNER_GITHUBAPP: openshift-pipelines/pipelines-as-code-e2e-tests
@@ -79,35 +80,164 @@ jobs:
         uses: actions/github-script@v8
         with:
           script: |
-            const actor = context.payload.pull_request.user.login;
-            const org = context.repo.owner;
-
-            // Allow a specific list of trusted bots to bypass the permission check.
-            const trustedBots = ['dependabot[bot]']; // Add any other trusted bot accounts here
-            if (trustedBots.includes(actor)) {
-              core.info(`User @${actor} is a trusted bot, allowing.`);
+            if (!github || !github.context || !github.context.payload || !github.context.payload.pull_request) {
+              core.setFailed('Invalid GitHub context: missing required pull_request information');
               return;
             }
+            const context = github.context;
+
+            async function run() {
+              const actor = context.payload.pull_request.user.login;
+              const repoOwner = context.repo.owner;
+              const repoName = context.repo.repo;
+              const targetOrg = context.repo.owner;
+
+              core.info(`🔍 Starting permission check for user: @${actor}`);
+              core.info(`📋 Repository: ${repoOwner}/${repoName}`);
+              core.info(`🏢 Target organization: ${targetOrg}`);
+
+              // Condition 1: Check if the user is a trusted bot.
+              const trustedBots = ["dependabot[bot]", "renovate[bot]"];
+              core.info(`🤖 Checking if @${actor} is a trusted bot...`);
+              core.info(`   Trusted bots list: ${trustedBots.join(', ')}`);
+
+              if (trustedBots.includes(actor)) {
+                core.info(`✅ Condition met: User @${actor} is a trusted bot. Proceeding.`);
+                return; // Success
+              }
+              core.info(`   ❌ User @${actor} is not a trusted bot.`);
+
+              // Condition 2: Check for public membership in the target organization.
+              core.info(`\n👥 Condition 2: Checking organization and team membership...`);
+              core.info(
+                `User @${actor} is not a trusted bot. Checking for membership in '${targetOrg}'...`,
+              );
+              try {
+                // Optional: check membership in one or more org teams (set TARGET_TEAM_SLUGS as comma-separated slugs in workflow env)
+                const teamSlugsEnv = process.env.TARGET_TEAM_SLUGS || "";
+                const teamSlugs = teamSlugsEnv
+                  .split(",")
+                  .map((s) => s.trim())
+                  .filter(Boolean);
+
+                core.info(`🔧 TARGET_TEAM_SLUGS environment variable: "${teamSlugsEnv}"`);
+                core.info(`📝 Parsed team slugs: [${teamSlugs.join(', ')}]`);
+
+                if (teamSlugs.length > 0) {
+                  core.info(`🔍 Checking team membership for ${teamSlugs.length} team(s)...`);
+                  for (const team_slug of teamSlugs) {
+                    core.info(`   Checking team: ${team_slug}...`);
+                    try {
+                      const membership = await github.rest.teams.getMembershipForUserInOrg({
+                        org: targetOrg,
+                        team_slug,
+                        username: actor,
+                      });
+                      core.info(`   API response for team '${team_slug}': ${JSON.stringify(membership.data)}`);
+                      if (
+                        membership &&
+                        membership.data &&
+                        membership.data.state === "active"
+                      ) {
+                        core.info(
+                          `✅ Condition met: User @${actor} is a member of team '${team_slug}' in '${targetOrg}'. Proceeding.`,
+                        );
+                        return; // Success
+                      } else {
+                        core.info(`   ⚠️ Team membership found but state is not 'active': ${membership.data.state}`);
+                      }
+                    } catch (err) {
+                      // Not a member of this team or team doesn't exist — continue to next
+                      core.info(
+                        `   ❌ User @${actor} is not a member of team '${team_slug}' (or team not found). Error: ${err.message}`,
+                      );
+                    }
+                  }
+                  // If we tried team checks and none matched, continue to next org membership checks
+                  core.info(
+                    `ⓘ User @${actor} is not a member of any configured teams in '${targetOrg}'. Falling back to org membership checks.`,
+                  );
+                } else {
+                  core.info(`ℹ️ No teams configured in TARGET_TEAM_SLUGS. Skipping team membership checks.`);
+                }
+                core.info(`🏢 Checking organization membership for @${actor} in '${targetOrg}'...`);
+                try {
+                  core.info(`   Attempting checkMembershipForUser API call...`);
+                  await github.rest.orgs.checkMembershipForUser({
+                    org: targetOrg,
+                    username: actor,
+                  });
+                  core.info(
+                    `✅ Condition met: User @${actor} is a member of '${targetOrg}'. Proceeding.`,
+                  );
+                  return; // Success
+                } catch (err) {
+                  // Try public membership as fallback
+                  core.info(`   ❌ Private membership check failed: ${err.message}`);
+                  core.info(`   Attempting checkPublicMembershipForUser API call...`);
+                  try {
+                    await github.rest.orgs.checkPublicMembershipForUser({
+                      org: targetOrg,
+                      username: actor,
+                    });
+                    core.info(
+                      `✅ Condition met: User @${actor} is a public member of '${targetOrg}'. Proceeding.`,
+                    );
+                    return; // Success
+                  } catch (publicErr) {
+                    // Neither private nor public member - will be caught by outer catch
+                    core.info(`   ❌ Public membership check failed: ${publicErr.message}`);
+                    throw publicErr;
+                  }
+                }
+              } catch (error) {
+                // This is not a failure, just one unmet condition. Log and continue.
+                core.info(
+                  `ⓘ User @${actor} is not a public member of '${targetOrg}'. Checking repository permissions as a fallback.`,
+                );
+              }
+
+              // Condition 3: Check for write/admin permission on the repository.
+              core.info(`\n🔐 Condition 3: Checking repository collaborator permissions...`);
+              try {
+                core.info(`   Attempting getCollaboratorPermissionLevel API call...`);
+                const response = await github.rest.repos.getCollaboratorPermissionLevel({
+                  owner: repoOwner,
+                  repo: repoName,
+                  username: actor,
+                });
+
+                core.info(`   API response: ${JSON.stringify(response.data)}`);
+                const permission = response.data.permission;
+                core.info(`   User @${actor} has '${permission}' permission on ${repoOwner}/${repoName}`);
 
-            try {
-              // Directly check the user's permission level on the repository.
-              // This covers both org members and external collaborators with sufficient access.
-              const response = await github.rest.repos.getCollaboratorPermissionLevel({
-                owner: org,
-                repo: context.repo.repo,
-                username: actor,
-              });
-
-              const permission = response.data.permission;
-              if (permission !== 'admin' && permission !== 'write') {
-                core.setFailed(`❌ User @${actor} has only '${permission}' repository permission. 'write' or 'admin' is required.`);
-              } else {
-                core.info(`✅ User @${actor} has '${permission}' repository permission. Proceeding.`);
+                if (permission === "admin" || permission === "write") {
+                  core.info(
+                    `✅ Condition met: User @${actor} has '${permission}' repository permission. Proceeding.`,
+                  );
+                  return; // Success
+                } else {
+                  // If we reach here, no conditions were met. This is the final failure.
+                  core.info(`   ❌ Permission '${permission}' is insufficient (requires 'write' or 'admin')`);
+                  core.setFailed(
+                    `❌ Permission check failed. User @${actor} did not meet any required conditions (trusted bot, org member, or repo write access).`,
+                  );
+                }
+              } catch (error) {
+                // This error means they are not even a collaborator.
+                core.info(`   ❌ Collaborator permission check failed: ${error.message}`);
+                core.setFailed(
+                  `❌ Permission check failed. User @${actor} is not a collaborator on this repository and did not meet other conditions.`,
+                );
               }
-            } catch (error) {
-              core.setFailed(`Permission check failed for @${actor}. They are likely not a collaborator on the repository. Error: ${error.message}`);
             }
 
+            run().catch(err => {
+              core.error(`💥 Unexpected error during permission check: ${err.message}`);
+              core.error(`   Stack trace: ${err.stack}`);
+              core.setFailed(`Unexpected error during permission check: ${err.message}`);
+            });
+
       - uses: actions/setup-go@v6
         with:
           go-version-file: "go.mod"
@@ -175,9 +305,7 @@ jobs:
           TEST_BITBUCKET_SERVER_API_URL: ${{ secrets.BITBUCKET_SERVER_API_URL }}
           TEST_BITBUCKET_SERVER_WEBHOOK_SECRET: ${{ secrets.BITBUCKET_SERVER_WEBHOOK_SECRET }}
         run: |
-          set -o pipefail
-          LOG_FILE="/tmp/e2e-tests-${{ matrix.provider }}.log"
-          ./hack/gh-workflow-ci.sh run_e2e_tests 2>&1 | tee "${LOG_FILE}"
+          ./hack/gh-workflow-ci.sh run_e2e_tests
 
       - name: Run E2E Tests on nightly
         # This step still runs specifically for schedule or workflow_dispatch
@@ -196,30 +324,7 @@ jobs:
           TEST_BITBUCKET_SERVER_API_URL: ${{ secrets.BITBUCKET_SERVER_API_URL }}
           TEST_BITBUCKET_SERVER_WEBHOOK_SECRET: ${{ secrets.BITBUCKET_SERVER_WEBHOOK_SECRET }}
         run: |
-          set -o pipefail
-          LOG_FILE="/tmp/e2e-tests-${{ matrix.provider }}.log"
-          ./hack/gh-workflow-ci.sh run_e2e_tests 2>&1 | tee "${LOG_FILE}"
-
-      - name: Summarize failing tests
-        if: ${{ failure() }}
-        id: failing-tests
-        run: |
-          LOG_FILE="/tmp/e2e-tests-${{ matrix.provider }}.log"
-          if [[ ! -f "${LOG_FILE}" || ! -s "${LOG_FILE}" ]]; then
-            echo "slack_message=E2E job failed but no test log was captured for provider '${{ matrix.provider }}'." >> "${GITHUB_OUTPUT}"
-            exit 0
-          fi
-
-          mapfile -t FAILURES < <(grep -E '^--- FAIL: ' "${LOG_FILE}" | sed -E 's/^--- FAIL: ([^[:space:]]+).*/\1/' | sort -u)
-
-          if [[ ${#FAILURES[@]} -eq 0 ]]; then
-            echo "slack_message=E2E job failed without explicit go test failures; check workflow logs for provider '${{ matrix.provider }}'." >> "${GITHUB_OUTPUT}"
-            exit 0
-          fi
-
-          joined_failures=$(printf '%s, ' "${FAILURES[@]}")
-          joined_failures=${joined_failures%, }
-          echo "slack_message=Failing tests for provider ${{ matrix.provider }}: ${joined_failures}" >> "${GITHUB_OUTPUT}"
+          ./hack/gh-workflow-ci.sh run_e2e_tests
 
       - name: Collect logs
         if: ${{ always() }}
@@ -241,14 +346,11 @@ jobs:
           name: logs-e2e-tests-${{ matrix.provider }}
           path: /tmp/logs
 
-      - name: Report E2E test results to Slack
+      - name: Report Status
         if: ${{ always() && github.ref_name == 'main' && github.event_name == 'schedule' }}
         uses: ravsamhq/notify-slack-action@v2
         with:
           status: ${{ job.status }}
           notify_when: "failure"
-          message_format: |
-            {emoji} *{workflow}* {status_message} in <{repo_url}|{repo}@{branch}> on <{commit_url}|{commit_sha}>
-            ${{ steps.failing-tests.outputs.slack_message }}
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
