Skip to content

Commit da6d700

Browse files
authored
fix(repo): Verify user permissions to run integration tests (clerk#4489)
1 parent f3175f2 commit da6d700

3 files changed

Lines changed: 21 additions & 94 deletions

File tree

.changeset/famous-shoes-walk.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
---
2+
---

.github/workflows/ci.yml

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -138,10 +138,6 @@ jobs:
138138

139139
integration-tests:
140140
name: Integration Tests
141-
# Skip for fork PRs to prevent security vulnerabilities (no secrets)
142-
# Runs if it comes from the root repo or once it gets approved by a maintainer
143-
if: |
144-
github.event.inputs.run_integration_tests == 'true' || github.event.pull_request.head.repo.full_name == github.repository
145141
needs: formatting-linting
146142
runs-on: ${{ vars.RUNNER_LARGE || 'ubuntu-latest-l' }}
147143
timeout-minutes: ${{ vars.TIMEOUT_MINUTES_LONG && fromJSON(vars.TIMEOUT_MINUTES_LONG) || 15 }}
@@ -163,11 +159,30 @@ jobs:
163159
next-version: '15'
164160

165161
steps:
162+
# Skip integration tests from fork PRs to prevent secret exfiltration
163+
- name: Get User Permission
164+
id: checkAccess
165+
uses: actions-cool/check-user-permission@v2
166+
with:
167+
require: write
168+
username: ${{ github.triggering_actor }}
169+
env:
170+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
171+
- name: Check User Permission
172+
if: steps.checkAccess.outputs.require-result == 'false'
173+
run: |
174+
echo "${{ github.triggering_actor }} does not have permissions on this repo."
175+
echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
176+
echo "Job originally triggered by ${{ github.actor }}"
177+
exit 1
178+
166179
- name: Checkout Repo
167180
uses: actions/checkout@v4
168181
with:
169182
fetch-depth: 0
170183
show-progress: false
184+
# We must first verify the user permissions before checking out PR code
185+
ref: ${{ github.event.pull_request.head.sha }}
171186

172187
- name: Setup
173188
id: config

.github/workflows/run-integration-tests.yml

Lines changed: 0 additions & 90 deletions
This file was deleted.

0 commit comments

Comments
 (0)