forked from ministryofjustice/cloud-platform-environments
-
Notifications
You must be signed in to change notification settings - Fork 0
51 lines (41 loc) · 1.68 KB
/
check-permissions.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# description: |
# This GitHub Action will check every namespace amended in a PR, take the RBAC team name and confirm
# the user is in that team.
name: Check if user can amend namespace
on:
pull_request:
paths:
- 'namespaces/live.cloud-platform.service.justice.gov.uk/**'
env:
PR_OWNER: ${{ github.event.pull_request.user.login }}
BRANCH: ${{ github.head_ref }}
# GITHUB_OAUTH_TOKEN created manually by the cloud-platform-bot-user in last pass.
GITHUB_OAUTH_TOKEN: ${{ secrets.CHECK_GITHUB_TEAM }}
jobs:
rbac-permissions-check:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
steps:
- name: Checkout PR code
uses: actions/checkout@v4
# Runs custom script to check if the person who raised the PR is in the
# correct GitHub team.
- name: Check the PR owner is in the correct rbac group
id: review_pr
uses: ministryofjustice/cloud-platform-environments/cmd/rbac-permissions-check@main
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# If the user isn't permitted to make the change, write a comment in the issue.
- name: Create comment in the PR
uses: peter-evans/create-or-update-comment@v4
if: steps.review_pr.outputs.reviewOutput == 'false'
with:
issue-number: ${{ github.event.pull_request.number }}
body: |
The owner of this PR isn't a member of the relevant rbac teams.
# We need GitHub Actions to report a fail if the user isn't permitted.
- name: If user not in the rbac group; then fail
if: steps.review_pr.outputs.reviewOutput == 'false'
run: exit 1