|
32 | 32 | CODER_RELEASE_NOTES:${{ inputs.release_notes }} |
33 | 33 |
|
34 | 34 | jobs: |
| 35 | +# Only allow maintainers/admins to release. |
| 36 | +check-perms: |
| 37 | +runs-on:${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} |
| 38 | +steps: |
| 39 | + -name:Allow only maintainers/admins |
| 40 | +uses:actions/github-script@v7.1.0 |
| 41 | +with: |
| 42 | +github-token:${{ secrets.GITHUB_TOKEN }} |
| 43 | +script:| |
| 44 | + const {data} = await github.rest.repos.getCollaboratorPermissionLevel({ |
| 45 | + owner: context.repo.owner, |
| 46 | + repo: context.repo.repo, |
| 47 | + username: context.actor |
| 48 | + }); |
| 49 | + const perm = data.permission; // 'pull' | 'triage' | 'push' | 'maintain' | 'admin' ,[object Object], |
| 50 | + core.info(`Actor ${context.actor} permission: ${perm}`); |
| 51 | + if (!['admin','maintain'].includes(perm)) { |
| 52 | + core.setFailed(`Denied: requires maintain or admin`); |
| 53 | + } |
35 | 54 | # build-dylib is a separate job to build the dylib on macOS. |
36 | 55 | build-dylib: |
37 | 56 | runs-on:${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }} |
| 57 | +needs:check-perms |
38 | 58 | steps: |
39 | 59 | # Harden Runner doesn't work on macOS. |
40 | 60 | -name:Checkout |
@@ -114,7 +134,7 @@ jobs: |
114 | 134 |
|
115 | 135 | release: |
116 | 136 | name:Build and publish |
117 | | -needs:build-dylib |
| 137 | +needs:[build-dylib, check-perms] |
118 | 138 | runs-on:${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} |
119 | 139 | permissions: |
120 | 140 | # Required to publish a release |
|