From 8646a36e0a94d1bcab718f1e8c8884af0de87e83 Mon Sep 17 00:00:00 2001
From: Artem Zakharchenko <kettanaito@gmail.com>
Date: Mon, 28 Oct 2024 15:46:05 +0100
Subject: [PATCH] docs: add permissions check to approval-based publish (#269)

---
 README.md | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index ef9d0a6..0234ae5 100644
--- a/README.md
+++ b/README.md
@@ -194,10 +194,26 @@ on:
     types: [submitted]
 
 jobs:
-  approved:
-    if: github.event.review.state == 'APPROVED'
+  check:
+    # First, trigger a permissions check on the user approving the pull request.
+    if: github.event.review.state == 'approved'
+    runs-on: ubuntu-latest
+    outputs:
+      has-permissions: ${{ steps.checkPermissions.outputs.require-result }}
+    steps:
+      - name: Check permissions
+        id: checkPermissions
+        uses: actions-cool/check-user-permission@v2
+        with:
+          # In this example, the approver must have the write access
+          # to the repository to trigger the package preview.
+          require: 'write'
+
+  publish:
+    needs: check
+    # Publish the preview package only if the permissions check passed.
+    if: needs.check.outputs.has-permissions == 'true'
     runs-on: ubuntu-latest
-
     steps:
       - name: Checkout code
         uses: actions/checkout@v4