Open kettanaito opened 3 hours ago
I can confirm that any approval of a PR triggers preview publishing (see https://github.com/mswjs/msw/pull/2335, the approval from @dandelionadia).
This isn't an issue of this library, but a better setup would be appreciated in the README. The one listed is not secure. Anybody can trigger the preview publish, which defies the whole purpose of locking it behind the approval state.
I've looked everywhere, but there doesn't seem to be a way to check the PR reviewer's permissions in the if
expression. The user
object doesn't have anything permissions-related. Looks like you must check those permissions manually, which means run
and then if
on individual steps, which is extremely annoying.
After hours of research, this is finally the approach that worked for me:
name: release
on:
pull_request_review:
types: [submitted]
workflow_dispatch:
jobs:
check:
# Trigger the permissions check whenever someone approves a pull request.
# They must have the write permissions to the repo in order to
# trigger preview package publishing.
if: github.event.review.state == 'approved'
runs-on: ubuntu-latest
outputs:
has-permissions: ${{ steps.checkPermissions.outputs.require-result }}
steps:
- name: Check permissions
id: checkPermissions
uses: actions-cool/check-user-permission@v2
with:
require: 'write'
preview:
# The approving user must pass the permissions check
# to trigger the preview publish.
needs: check
if: needs.check.outputs.has-permissions == 'true'
runs-on: macos-latest
steps:
- name: Checkout
uses: actions/checkout@v4
# Prepare your package here...
- name: Publish preview
run: # RELEASE COMMAND HERE
This has two jobs so preview
can be skipped entirely if check
output is 'false'
. This is so far the only approach I found that:
write
);
Hi! Thanks for an awesome tool.
A quick question: does the approval-based publishing kick in if anybody approves a pull request? This is probably a question more to GitHub Actions, but I thought you'd know.
My concern is that I want to automatically publish the package only if a team member approved it. So that random user couldn't approve potentially malicious changes.