publisher-tools/.github/scripts/check-deploy-permissions.ts at c53f77ef1f9c2c0d9892a9f29bdc4c837e82c307 · interledger/publisher-tools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
import type { AsyncFunctionArguments } from 'github-script';
import type { PullRequestEvent, PullRequestReviewEvent } from '@octokit/webhooks-types';

export default async function checkDeployPermissions({ core, context }: AsyncFunctionArguments) {
  if (context.eventName === 'pull_request_review') {
    const event = context.payload as PullRequestReviewEvent;
    const reviewerAssociation = event.review.author_association;

    if (!isAllowedAuthor(reviewerAssociation)) {
      await skipDeployment(core, 'Not authorized to trigger deployments.');
      return;
    }

    if (event.review.body === 'ok-to-deploy') {
      core.setOutput('should-deploy', 'true');
      core.info('Deployment allowed: Triggered by maintainer review comment');
      return;
    }

    core.setOutput('should-deploy', 'false');
    core.info('No deployment command found in review');
    return;
  }

  if (context.eventName === 'pull_request') {
    const event = context.payload as PullRequestEvent;
    const authorAssociation = event.pull_request.author_association;

    if (!isAllowedAuthor(authorAssociation)) {
      await skipDeployment(
        core,
        'The PR author is not authorized to run deployments. Maintainers can trigger a deployment by submitting a review with "pull-request-review" in the comment.'
      );
      return;
    }

    core.setOutput('should-deploy', 'true');
    core.info('Deployment allowed: Authorized contributor');
    return;
  }

  // no deployment for other events
  core.setOutput('should-deploy', 'false');
  core.info('Deployment not triggered for this event type');
}

function isAllowedAuthor(authorAssociation: string): boolean {
  return (
    authorAssociation === 'OWNER' ||
    authorAssociation === 'MEMBER' ||
    authorAssociation === 'COLLABORATOR'
  );
}

async function skipDeployment(coreApi: AsyncFunctionArguments['core'], reason: string): Promise<void> {
  coreApi.info('Skipping deployment for security reasons.');
  coreApi.setOutput('should-deploy', 'false');
  await coreApi.summary
    .addQuote(`🚫 Deployment skipped: ${reason}`)
    .addDetails(
      'Security Notice',
      `Deployments are restricted to organization members, collaborators, and repository owners.
      External contributors can still run builds and tests.
      Maintainers can trigger deployments by reviewing the PR with "pull-request-review" in the comment.`
    )
    .write();
}