-
Notifications
You must be signed in to change notification settings - Fork 854
102 lines (91 loc) · 3.71 KB
/
deployment-test-command.yml
File metadata and controls
102 lines (91 loc) · 3.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# Trigger deployment tests from PR comments
#
# Usage: Comment `/deployment-test` on a PR
#
# This workflow validates the commenter is an org member and triggers
# the deployment-tests.yml workflow with the PR context.
#
name: Deployment Test Command
on:
issue_comment:
types: [created]
permissions:
contents: read
pull-requests: write
actions: write # To trigger workflows
jobs:
deployment-test:
# Only run when the comment is exactly /deployment-test on a PR
if: >-
${{
github.event.comment.body == '/deployment-test' &&
github.event.issue.pull_request &&
github.repository_owner == 'microsoft'
}}
runs-on: ubuntu-latest
steps:
- name: Check org membership
id: check_membership
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const commenter = context.payload.comment.user.login;
try {
// Check if user is a member of the dotnet org
const { status } = await github.rest.orgs.checkMembershipForUser({
org: 'dotnet',
username: commenter
});
if (status === 204 || status === 302) {
core.info(`✅ ${commenter} is a member of dotnet org`);
core.setOutput('is_member', 'true');
return;
}
} catch (error) {
if (error.status === 404) {
core.warning(`❌ ${commenter} is not a member of dotnet org`);
core.setOutput('is_member', 'false');
// Post a comment explaining the restriction
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: `@${commenter} The \`/deployment-test\` command is restricted to dotnet org members for security reasons (it deploys to real Azure infrastructure).`
});
return;
}
throw error;
}
- name: Get PR details
if: steps.check_membership.outputs.is_member == 'true'
id: pr
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const { data: pr } = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number
});
core.setOutput('number', pr.number);
core.setOutput('head_sha', pr.head.sha);
core.setOutput('head_ref', pr.head.ref);
- name: Trigger deployment tests
if: steps.check_membership.outputs.is_member == 'true'
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
// Dispatch from the PR's head ref to test the PR's code changes.
// Security: Org membership check is the security boundary - only trusted
// dotnet org members can trigger this workflow.
// Note: The triggered workflow posts its own "starting" comment with the run URL.
await github.rest.actions.createWorkflowDispatch({
owner: context.repo.owner,
repo: context.repo.repo,
workflow_id: 'deployment-tests.yml',
ref: '${{ steps.pr.outputs.head_ref }}',
inputs: {
pr_number: '${{ steps.pr.outputs.number }}'
}
});
core.info('✅ Triggered deployment-tests.yml workflow');