2525 - " test/testdata/**"
2626
2727jobs :
28+ # New Job: Checks permissions for PRs and outputs the result.
29+ check-permissions :
30+ name : Check PR author permissions
31+ # This job only runs for pull_request_target events.
32+ if : github.event_name == 'pull_request_target'
33+ runs-on : ubuntu-latest
34+ outputs :
35+ granted : ${{ steps.permission_check.outputs.result }}
36+ steps :
37+ - name : Check user permissions
38+ id : permission_check
39+ uses : actions/github-script@v7
40+ with :
41+ result-encoding : string # Capture the script's return value as an output
42+ script : |
43+ const actor = context.payload.pull_request.user.login;
44+
45+ // Allow dependabot and other bots unconditionally.
46+ if (actor.endsWith('[bot]')) {
47+ core.info(`User @${actor} is a bot, allowing.`);
48+ return 'true';
49+ }
50+
51+ try {
52+ const response = await github.rest.repos.getCollaboratorPermissionLevel({
53+ owner: context.repo.owner,
54+ repo: context.repo.repo,
55+ username: actor,
56+ });
57+
58+ const permission = response.data.permission;
59+ if (permission === 'admin' || permission === 'write') {
60+ core.info(`✅ User @${actor} has '${permission}' permission. Proceeding.`);
61+ return 'true';
62+ } else {
63+ core.warning(`User @${actor} has '${permission}' permission. 'write' or 'admin' is required. Skipping E2E tests.`);
64+ return 'false';
65+ }
66+ } catch (error) {
67+ core.warning(`Could not verify permission for @${actor}. They might not be a collaborator. Error: ${error.message}`);
68+ return 'false';
69+ }
70+
71+ # Modified Job: Now depends on the check-permissions job.
2872 e2e-tests :
29- # Run on schedule, unconditional workflow_dispatch,
30- # or pull_request_target if the actor has write/admin permissions .
73+ needs : [check-permissions] # It depends on the result of the check.
74+ # The job runs on schedule/dispatch, or on PRs if the check-permissions job granted access .
3175 if : >
3276 github.event_name == 'schedule' ||
3377 github.event_name == 'workflow_dispatch' ||
@@ -128,8 +172,8 @@ jobs:
128172 nohup gosmee client --saveDir /tmp/gosmee-replay ${{ secrets.PYSMEE_URL }} "http://${CONTROLLER_DOMAIN_URL}" &
129173
130174name : Setup tmate session
131- uses : mxschmitt/action-tmate@v3
132175 if : ${{ github.event_name == 'workflow_dispatch' && inputs.debug_enabled }}
176+ uses : mxschmitt/action-tmate@v3
133177 with :
134178 detached : true
135179 limit-access-to-actor : true
@@ -156,11 +200,8 @@ jobs:
156200 run : |
157201 ./hack/gh-workflow-ci.sh create_second_github_app_controller_on_ghe
158202
159- # Adjusted step-level conditions based on the new job-level logic
160203name : Run E2E Tests
161- # This step runs for schedule, PR target (if job started), or workflow_dispatch (if job started)
162- # Remove the old label check which is no longer relevant for triggering.
163- if : ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request_target' }}
204+ # The job-level `if` condition already handles this, so the step can run unconditionally
164205 env :
165206 TEST_PROVIDER : ${{ matrix.provider }}
166207 TEST_BITBUCKET_CLOUD_TOKEN : ${{ secrets.BITBUCKET_CLOUD_TOKEN }}
@@ -177,7 +218,6 @@ jobs:
177218 ./hack/gh-workflow-ci.sh run_e2e_tests
178219
179220name : Run E2E Tests on nightly
180- # This step still runs specifically for schedule or workflow_dispatch
181221 if : ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
182222 env :
183223 NIGHTLY_E2E_TEST : " true"
@@ -223,3 +263,4 @@ jobs:
223263 notify_when : " failure"
224264 env :
225265 SLACK_WEBHOOK_URL : ${{ secrets.SLACK_WEBHOOK_URL }}
266+
0 commit comments