From 0486b7063e6dc3f5559b877b4047ea3f2a6eb8cc Mon Sep 17 00:00:00 2001 From: Nadin Jbara <93648739+nadin-Starkware@users.noreply.github.com> Date: Thu, 22 Aug 2024 15:26:07 +0300 Subject: [PATCH] chore(ci): validate user's permissions before uploading artifacts step (#558) --- .github/workflows/blockifier_ci.yml | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/blockifier_ci.yml b/.github/workflows/blockifier_ci.yml index bf274c5001..484052db7c 100644 --- a/.github/workflows/blockifier_ci.yml +++ b/.github/workflows/blockifier_ci.yml @@ -78,18 +78,28 @@ jobs: target/release/libnative_blockifier.so \ target/release/native_blockifier.pypy39-pp73-x86_64-linux-gnu.so + # Check if the user has the required permission to upload the artifact. + - name: Get User Permission + id: checkAccess + uses: actions-cool/check-user-permission@v2 + with: + require: write + username: ${{ github.triggering_actor }} + + - name: Check User Permission + if: steps.checkAccess.outputs.require-result == 'false' + run: | + echo "${{ github.triggering_actor }} does not have permissions on this repo." + echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}" + echo "Job originally triggered by ${{ github.actor }}" + exit 1 + - name: Authenticate with GCS - # Fork PRs do not have access to secrets. - # Push events should trigger the upload regardless of the originating PR. - if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository uses: "google-github-actions/auth@v2" with: credentials_json: ${{ secrets.SA_NATIVE_BLOCKIFIER_ARTIFACTS_BUCKET_WRITER_ACCESS_KEY }} - name: Upload binary to GCP - # Fork PRs do not have access to secrets (so no uploading). - # Push events should trigger the upload regardless of the originating PR. - if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository id: upload_file uses: "google-github-actions/upload-cloud-storage@v2" with: