11#! /usr/bin/env bash
22# check-e2e-authorization.sh — Decide whether a PR may run e2e tests in CI.
33#
4- # Authorized when the PR author is OWNER/MEMBER/COLLABORATOR, or when the
5- # collaborator permission API confirms write+ access, or when a fresh
6- # ok-to-test label was applied after the latest push.
4+ # Authorized when the PR author is OWNER/MEMBER/COLLABORATOR, when the author
5+ # is a trusted bot (e.g. renovate-fullsend[bot]), when the collaborator
6+ # permission API confirms write+ access, or when a fresh ok-to-test label was
7+ # applied after the latest push.
78#
89# The author_association field from the event payload can misreport org members
910# whose membership visibility is private (returns CONTRIBUTOR/NONE instead of
@@ -31,6 +32,7 @@ PR_NUMBER="${1:?PR number required}"
3132REPOSITORY=" ${2:? repository (owner/ repo) required} "
3233
3334TRUSTED_ASSOCIATIONS=" OWNER MEMBER COLLABORATOR"
35+ TRUSTED_BOT_LOGINS=" renovate-fullsend[bot]"
3436OK_TO_TEST_LABEL=" ok-to-test"
3537
3638write_error_output () {
@@ -55,6 +57,14 @@ is_trusted_author() {
5557 esac
5658}
5759
60+ is_trusted_bot () {
61+ local login=" ${1:- } "
62+ case " ${TRUSTED_BOT_LOGINS} " in
63+ * " ${login} " * ) return 0 ;;
64+ * ) return 1 ;;
65+ esac
66+ }
67+
5868# Fallback: check actor has write+ permission via the collaborator permission
5969# API, which correctly resolves org membership regardless of visibility
6070# (private vs public). Same approach as the dispatch workflow.
8999if is_trusted_author " ${author_association} " ; then
90100 authorized=true
91101 reason=" trusted_author"
102+ elif is_trusted_bot " ${PR_AUTHOR_LOGIN:- } " ; then
103+ authorized=true
104+ reason=" trusted_bot"
92105elif has_write_permission " ${PR_AUTHOR_LOGIN:- } " 2> /dev/null; then
93106 # author_association was wrong (e.g. private org membership); collaborator
94107 # permission API confirms write+ access.
0 commit comments