FAIL - change .metadata.namespace #12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# description: | | |
# This GitHub Action will check every namespace amended in a PR, take the RBAC team name and confirm | |
# the user is in that team. | |
name: Check if user can amend namespace | |
on: | |
pull_request: | |
paths: | |
- 'namespaces/live.cloud-platform.service.justice.gov.uk/**' | |
env: | |
PR_OWNER: ${{ github.event.pull_request.user.login }} | |
BRANCH: ${{ github.head_ref }} | |
# GITHUB_OAUTH_TOKEN created manually by the cloud-platform-bot-user in last pass. | |
GITHUB_OAUTH_TOKEN: ${{ secrets.CHECK_GITHUB_TEAM }} | |
jobs: | |
rbac-permissions-check: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ubuntu-latest] | |
steps: | |
- name: Checkout PR code | |
uses: actions/checkout@v4 | |
# Runs custom script to check if the person who raised the PR is in the | |
# correct GitHub team. | |
- name: Check the PR owner is in the correct rbac group | |
id: review_pr | |
uses: ministryofjustice/cloud-platform-environments/cmd/rbac-permissions-check@main | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# If the user isn't permitted to make the change, write a comment in the issue. | |
- name: Create comment in the PR | |
uses: peter-evans/create-or-update-comment@v4 | |
if: steps.review_pr.outputs.reviewOutput == 'false' | |
with: | |
issue-number: ${{ github.event.pull_request.number }} | |
body: | | |
The owner of this PR isn't a member of the relevant rbac teams. | |
# We need GitHub Actions to report a fail if the user isn't permitted. | |
- name: If user not in the rbac group; then fail | |
if: steps.review_pr.outputs.reviewOutput == 'false' | |
run: exit 1 |