docs: add permissions check to approval-based publish (#269)

stackblitz-labs · Oct 28, 2024 · 8646a36 · 8646a36
1 parent 7d1ceee
commit 8646a36
Showing 1 changed file with 19 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -194,10 +194,26 @@ on:
     types: [submitted]
 
 jobs:
-  approved:
-    if: github.event.review.state == 'APPROVED'
+  check:
+    # First, trigger a permissions check on the user approving the pull request.
+    if: github.event.review.state == 'approved'
+    runs-on: ubuntu-latest
+    outputs:
+      has-permissions: ${{ steps.checkPermissions.outputs.require-result }}
+    steps:
+      - name: Check permissions
+        id: checkPermissions
+        uses: actions-cool/check-user-permission@v2
+        with:
+          # In this example, the approver must have the write access
+          # to the repository to trigger the package preview.
+          require: 'write'
+
+  publish:
+    needs: check
+    # Publish the preview package only if the permissions check passed.
+    if: needs.check.outputs.has-permissions == 'true'
     runs-on: ubuntu-latest
-
     steps:
       - name: Checkout code
         uses: actions/checkout@v4