Skip to content

Commit edaf24c

Browse files
authored
Merge pull request #2789 from fullsend-ai/trust-renovate-bot-in-test-gate
fix(ci): treat renovate bot as trusted for e2e/functional test gates
2 parents eb4cd14 + 330a31b commit edaf24c

2 files changed

Lines changed: 30 additions & 3 deletions

File tree

scripts/check-e2e-authorization-test.sh

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,20 @@ run_case "trusted collaborator author" "true" "trusted_author" "false"
142142
write_pr "CONTRIBUTOR" '[]'
143143
run_case "contributor author denied" "false" "unauthorized" "false"
144144

145+
# --- Trusted bot tests ---
146+
147+
export PR_AUTHOR_ASSOCIATION="CONTRIBUTOR"
148+
export PR_AUTHOR_LOGIN="renovate-fullsend[bot]"
149+
echo "" >"${COLLAB_ROLE}"
150+
write_pr "NONE" '[]'
151+
run_case "renovate bot authorized as trusted bot" "true" "trusted_bot" "false"
152+
153+
export PR_AUTHOR_LOGIN="some-other-bot[bot]"
154+
write_pr "NONE" '[]'
155+
run_case "unknown bot not authorized" "false" "unauthorized" "false"
156+
157+
unset PR_AUTHOR_ASSOCIATION PR_AUTHOR_LOGIN
158+
145159
write_pr "MEMBER" '[{"name":"ok-to-test"}]'
146160
run_case "trusted member ignores stale ok-to-test label" "true" "trusted_author" "false"
147161

scripts/check-e2e-authorization.sh

Lines changed: 16 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,10 @@
11
#!/usr/bin/env bash
22
# check-e2e-authorization.sh — Decide whether a PR may run e2e tests in CI.
33
#
4-
# Authorized when the PR author is OWNER/MEMBER/COLLABORATOR, or when the
5-
# collaborator permission API confirms write+ access, or when a fresh
6-
# ok-to-test label was applied after the latest push.
4+
# Authorized when the PR author is OWNER/MEMBER/COLLABORATOR, when the author
5+
# is a trusted bot (e.g. renovate-fullsend[bot]), when the collaborator
6+
# permission API confirms write+ access, or when a fresh ok-to-test label was
7+
# applied after the latest push.
78
#
89
# The author_association field from the event payload can misreport org members
910
# whose membership visibility is private (returns CONTRIBUTOR/NONE instead of
@@ -31,6 +32,7 @@ PR_NUMBER="${1:?PR number required}"
3132
REPOSITORY="${2:?repository (owner/repo) required}"
3233

3334
TRUSTED_ASSOCIATIONS="OWNER MEMBER COLLABORATOR"
35+
TRUSTED_BOT_LOGINS="renovate-fullsend[bot]"
3436
OK_TO_TEST_LABEL="ok-to-test"
3537

3638
write_error_output() {
@@ -55,6 +57,14 @@ is_trusted_author() {
5557
esac
5658
}
5759

60+
is_trusted_bot() {
61+
local login="${1:-}"
62+
case " ${TRUSTED_BOT_LOGINS} " in
63+
*" ${login} "*) return 0 ;;
64+
*) return 1 ;;
65+
esac
66+
}
67+
5868
# Fallback: check actor has write+ permission via the collaborator permission
5969
# API, which correctly resolves org membership regardless of visibility
6070
# (private vs public). Same approach as the dispatch workflow.
@@ -89,6 +99,9 @@ fi
8999
if is_trusted_author "${author_association}"; then
90100
authorized=true
91101
reason="trusted_author"
102+
elif is_trusted_bot "${PR_AUTHOR_LOGIN:-}"; then
103+
authorized=true
104+
reason="trusted_bot"
92105
elif has_write_permission "${PR_AUTHOR_LOGIN:-}" 2>/dev/null; then
93106
# author_association was wrong (e.g. private org membership); collaborator
94107
# permission API confirms write+ access.

0 commit comments

Comments
 (0)