search

stackblitz-labs / pkg.pr.new

Continuous (Preview) Releases for your libraries!
https://pkg.pr.new
MIT License
1.06k stars 40 forks source link

Approval-based example allows publishing by anybody #267

Open kettanaito opened 3 hours ago

kettanaito commented 3 hours ago

Hi! Thanks for an awesome tool.

A quick question: does the approval-based publishing kick in if anybody approves a pull request? This is probably a question more to GitHub Actions, but I thought you'd know.

My concern is that I want to automatically publish the package only if a team member approved it. So that random user couldn't approve potentially malicious changes.

kettanaito commented 2 hours ago

I can confirm that any approval of a PR triggers preview publishing (see https://github.com/mswjs/msw/pull/2335, the approval from @dandelionadia).

This isn't an issue of this library, but a better setup would be appreciated in the README. The one listed is not secure. Anybody can trigger the preview publish, which defies the whole purpose of locking it behind the approval state.

kettanaito commented 44 minutes ago

I've looked everywhere, but there doesn't seem to be a way to check the PR reviewer's permissions in the if expression. The user object doesn't have anything permissions-related. Looks like you must check those permissions manually, which means run and then if on individual steps, which is extremely annoying.

kettanaito commented 19 minutes ago

Solution

After hours of research, this is finally the approach that worked for me:

name: release

on:
  pull_request_review:
    types: [submitted]
  workflow_dispatch:

jobs:
  check:
    # Trigger the permissions check whenever someone approves a pull request.
    # They must have the write permissions to the repo in order to
    # trigger preview package publishing.
    if: github.event.review.state == 'approved'
    runs-on: ubuntu-latest
    outputs:
      has-permissions: ${{ steps.checkPermissions.outputs.require-result }}
    steps:
      - name: Check permissions
        id: checkPermissions
        uses: actions-cool/check-user-permission@v2
        with:
          require: 'write'

  preview:
    # The approving user must pass the permissions check
    # to trigger the preview publish.
    needs: check
    if: needs.check.outputs.has-permissions == 'true'
    runs-on: macos-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      # Prepare your package here...

      - name: Publish preview
        run: # RELEASE COMMAND HERE

This has two jobs so preview can be skipped entirely if check output is 'false'. This is so far the only approach I found that: