|
32 | 32 | CODER_RELEASE_NOTES: ${{ inputs.release_notes }} |
33 | 33 |
|
34 | 34 | jobs: |
| 35 | + # Only allow maintainers/admins to release. |
| 36 | + check-perms: |
| 37 | + runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} |
| 38 | + steps: |
| 39 | + - name: Allow only maintainers/admins |
| 40 | + uses: actions/github-script@v7.0.1 |
| 41 | + with: |
| 42 | + github-token: ${{ secrets.GITHUB_TOKEN }} |
| 43 | + script: | |
| 44 | + const {data} = await github.rest.repos.getCollaboratorPermissionLevel({ |
| 45 | + owner: context.repo.owner, |
| 46 | + repo: context.repo.repo, |
| 47 | + username: context.actor |
| 48 | + }); |
| 49 | + const role = data.role_name || data.user?.role_name || data.permission; |
| 50 | + const perms = data.user?.permissions || {}; |
| 51 | + core.info(`Actor ${context.actor} permission=${data.permission}, role_name=${role}`); |
| 52 | +
|
| 53 | + const allowed = |
| 54 | + role === 'admin' || |
| 55 | + role === 'maintain' || |
| 56 | + perms.admin === true || |
| 57 | + perms.maintain === true; |
| 58 | +
|
| 59 | + if (!allowed) core.setFailed('Denied: requires maintain or admin'); |
| 60 | +
|
35 | 61 | # build-dylib is a separate job to build the dylib on macOS. |
36 | 62 | build-dylib: |
37 | 63 | runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }} |
| 64 | + needs: check-perms |
38 | 65 | steps: |
39 | 66 | # Harden Runner doesn't work on macOS. |
40 | 67 | - name: Checkout |
@@ -114,7 +141,7 @@ jobs: |
114 | 141 |
|
115 | 142 | release: |
116 | 143 | name: Build and publish |
117 | | - needs: build-dylib |
| 144 | + needs: [build-dylib, check-perms] |
118 | 145 | runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} |
119 | 146 | permissions: |
120 | 147 | # Required to publish a release |
|
0 commit comments