diff --git a/.github/workflows/pr_style_bot.yml b/.github/workflows/pr_style_bot.yml index 9862965d..68530645 100644 --- a/.github/workflows/pr_style_bot.yml +++ b/.github/workflows/pr_style_bot.yml @@ -5,17 +5,50 @@ on: issue_comment: types: [created] -permissions: - contents: write - pull-requests: write +permissions: {} + +env: + PYTHON_VERSION: "3.10" jobs: - run-style-bot: + check-permissions: if: > contains(github.event.comment.body, '@bot /style') && github.event.issue.pull_request != null runs-on: ubuntu-latest + outputs: + is_authorized: ${{ steps.check_user_permission.outputs.has_permission }} + steps: + - name: Check user permission + id: check_user_permission + uses: actions/github-script@v6 + with: + script: | + const comment_user = context.payload.comment.user.login; + const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({ + owner: context.repo.owner, + repo: context.repo.repo, + username: comment_user + }); + const authorized = + permission.permission === 'admin' || + permission.permission === 'write'; + + console.log( + `User ${comment_user} has permission level: ${permission.permission}, ` + + `authorized: ${authorized} (admins & maintainers allowed)` + ); + + core.setOutput('has_permission', authorized); + + run-style-bot: + needs: check-permissions + if: needs.check-permissions.outputs.is_authorized == 'true' + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write steps: - name: Extract PR details id: pr_info @@ -61,6 +94,8 @@ jobs: - name: Set up Python uses: actions/setup-python@v4 + with: + python-version: ${{ env.PYTHON_VERSION }} - name: Get Ruff Version from pre-commit-config.yaml id: get-ruff-version