11
11
branches :
12
12
- main
13
13
14
-
15
14
jobs :
16
15
comment-on-pr :
17
16
runs-on : ubuntu-latest
18
17
permissions :
19
18
pull-requests : write
20
19
21
20
steps :
22
- # NOTE: The following checks may not be accurate depending on Org or Repo settings.
23
- - name : Check user and potential secret access
24
- id : check-secrets-access
25
- env :
26
- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
27
- run : |
28
- USER_LOGIN="${{ github.event.pull_request.user.login }}"
29
- REPO_OWNER="${{ github.repository_owner }}"
30
- REPO_NAME="${{ github.event.repository.name }}"
31
-
32
- echo "Pull request opened by: $USER_LOGIN"
33
-
34
- # Check if PR is from a fork
35
- IS_FORK=$([[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]] && echo "true" || echo "false")
36
-
37
- HAS_ACCESS="false"
38
-
39
- # Check user's permission level on the repository
40
- USER_PERMISSION=$(gh api repos/$REPO_OWNER/$REPO_NAME/collaborators/$USER_LOGIN/permission --jq '.permission')
41
-
42
- if [[ "$USER_PERMISSION" == "admin" || "$USER_PERMISSION" == "write" ]]; then
43
- HAS_ACCESS="true"
44
- elif [[ "$USER_PERMISSION" == "read" ]]; then
45
- # For read access, we need to check if the user has been explicitly granted secret access
46
- # This information is not directly available via API, so we'll make an assumption
47
- # that read access does not imply secret access
48
- HAS_ACCESS="false"
49
- fi
50
-
51
- # Check if repo owner is an organization
52
- IS_ORG=$(gh api users/$REPO_OWNER --jq '.type == "Organization"')
53
-
54
- if [[ "$IS_ORG" == "true" && "$HAS_ACCESS" == "false" ]]; then
55
- # Check if user is a member of any team with write or admin access to the repo
56
- TEAMS_WITH_ACCESS=$(gh api repos/$REPO_OWNER/$REPO_NAME/teams --jq '.[] | select(.permission == "push" or .permission == "admin") | .slug')
57
- for team in $TEAMS_WITH_ACCESS; do
58
- IS_TEAM_MEMBER=$(gh api orgs/$REPO_OWNER/teams/$team/memberships/$USER_LOGIN --silent && echo "true" || echo "false")
59
- if [[ "$IS_TEAM_MEMBER" == "true" ]]; then
60
- HAS_ACCESS="true"
61
- break
62
- fi
63
- done
64
- fi
65
-
66
- # If it's a fork, set HAS_ACCESS to false regardless of other checks
67
- if [[ "$IS_FORK" == "true" ]]; then
68
- HAS_ACCESS="false"
69
- fi
70
-
71
- echo "has_secrets_access=$HAS_ACCESS" >> $GITHUB_OUTPUT
72
- if [[ "$HAS_ACCESS" == "true" ]]; then
73
- echo "User $USER_LOGIN likely has access to secrets"
74
- else
75
- echo "User $USER_LOGIN likely does not have access to secrets"
76
- fi
77
-
78
-
79
21
- uses : actions/checkout@v4
80
22
81
23
- name : Delete old comments
82
- if : steps.check-secrets-access.outputs.has_secrets_access != 'true'
83
24
env :
84
25
GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
85
26
run : |
86
27
# Delete previous comment if it exists
87
28
previous_comment_ids=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
88
- --jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS -->")) | .id')
29
+ --jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS_MANUAL -->")) | .id')
89
30
echo "Previous comment IDs: $previous_comment_ids"
90
31
# Iterate over each comment ID and delete the comment
91
32
if [ ! -z "$previous_comment_ids" ]; then
@@ -96,14 +37,15 @@ jobs:
96
37
fi
97
38
98
39
- name : Comment on PR
99
- if : steps.check-secrets-access.outputs.has_secrets_access != 'true'
100
40
env :
101
41
GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
102
42
COMMIT_SHA : ${{ github.event.pull_request.head.sha }}
103
43
run : |
104
44
gh pr comment ${{ github.event.pull_request.number }} --body \
105
- "<!-- INTEGRATION_TESTS -->
106
- Run integration tests manually:
45
+ "<!-- INTEGRATION_TESTS_MANUAL -->
46
+ If integration tests don't run automatically, an authorized user can run them manually by following the instructions below:
47
+
48
+ Trigger:
107
49
[go/deco-tests-run/sdk-java](https://go/deco-tests-run/sdk-java)
108
50
109
51
Inputs:
0 commit comments