From 6c986c3f03e78c10ed09ebb3b201828ce28b14c2 Mon Sep 17 00:00:00 2001 From: Ido Heyvi Date: Mon, 18 Nov 2024 12:19:25 +0200 Subject: [PATCH] Since custom GH secrets are not propagated for forked PRs A new step has been added to verify that actor is a member of Mellanox/cloud-orchestration team --- .github/workflows/docs-ci.yaml | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docs-ci.yaml b/.github/workflows/docs-ci.yaml index 282d843..e266cf6 100644 --- a/.github/workflows/docs-ci.yaml +++ b/.github/workflows/docs-ci.yaml @@ -15,6 +15,9 @@ on: jobs: docs-ci: + permissions: + contents: write + pull-requests: write runs-on: ubuntu-latest env: GH_TOKEN: ${{ secrets.GH_TOKEN_NVIDIA_CI_CD }} @@ -27,10 +30,24 @@ jobs: PR_NUMBER: ${{ github.event.number }} PR_TITLE_PREFIX: "task: update documentation for" steps: + - name: Check if PR actor is part of team + env: + ACTOR: ${{ github.actor }} + run: | + response=$(curl -H "Authorization: Bearer $GH_TOKEN" \ + -H "Accept: application/vnd.github+json" \ + "https://api.github.com/orgs/Mellanox/teams/cloud-orchestration/members/$ACTOR") + + if [[ $(echo "$response" | jq -r '.message') == "Not Found" ]]; then + echo "Actor $ACTOR is not part of the 'Mellanox/cloud-orchestration' team and cannot initiate 'Documentation CI' workflow" + exit 1 + else + echo "Actor $ACTOR is part of the 'Mellanox/cloud-orchestration' team" + fi - uses: actions/checkout@v4 with: repository: ${{ github.repository_owner }}/network-operator-docs # repo must be explicitly set here for workflow calling to behave correctly - token: ${{ inputs.token || secrets.GH_TOKEN_NVIDIA_CI_CD }} # token must be explicitly set here for push to work in following step + token: ${{ inputs.token || secrets.GH_TOKEN }} - name: Setup Go uses: actions/setup-go@v5.0.2 with: