From 100433fb25055b42df55d65fd93de2700a1ae8d9 Mon Sep 17 00:00:00 2001 From: Danny Kopping Date: Thu, 30 May 2024 08:25:42 +0200 Subject: [PATCH 1/3] Modify preview deployment script to work with forks by specifying the coder/coder repo Signed-off-by: Danny Kopping --- .github/workflows/pr-deploy.yaml | 4 ++-- scripts/deploy-pr.sh | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index 68693fe29ce04..54a4ba2a1f4fa 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -47,8 +47,8 @@ jobs: run: | set -euo pipefail pr_open=true - if [[ "$(gh pr view --json state | jq -r '.state')" != "OPEN" ]]; then - echo "PR doesn't exist or is closed." + if [[ "$(gh pr status --json state --repo=coder/coder --jq '.createdBy[0].state')" != "OPEN" ]]; then + >&2 echo "PR doesn't exist or is closed." pr_open=false fi echo "pr_open=$pr_open" >> $GITHUB_OUTPUT diff --git a/scripts/deploy-pr.sh b/scripts/deploy-pr.sh index babd2e77cb75c..ad32c2d6d4597 100755 --- a/scripts/deploy-pr.sh +++ b/scripts/deploy-pr.sh @@ -71,8 +71,9 @@ fi gh_auth # get branch name and pr number -branchName=$(gh pr view --json headRefName | jq -r .headRefName) -prNumber=$(gh pr view --json number | jq -r .number) +info=$(gh pr status --repo=coder/coder --json headRefName,number --jq '.createdBy[0]') +branchName=$(echo "${info}" | jq -r .headRefName) +prNumber=$(echo "${info}" | jq -r .number) if [[ "$dryRun" = true ]]; then echo "dry run" From d87fc2b55061cb5c786fc39f88ace9eecb092652 Mon Sep 17 00:00:00 2001 From: Danny Kopping Date: Thu, 30 May 2024 09:05:23 +0200 Subject: [PATCH 2/3] Restrict action to members of the org Signed-off-by: Danny Kopping --- .github/workflows/pr-deploy.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index 54a4ba2a1f4fa..e8dcd73415a5e 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -34,6 +34,17 @@ permissions: pull-requests: write # needed for commenting on PRs jobs: + check_membership: + runs-on: ubuntu-latest + steps: + - name: Check if actor is a member + run: | + set -euo pipefail + response=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "https://api.github.com/orgs/coder/members/${{ github.actor }}") + if [[ "$response" == "404" ]]; then + echo "Error: Only members of the coder organization can trigger this workflow." + exit 1 + fi check_pr: runs-on: ubuntu-latest outputs: From c1e0a114b384712456afbdfc4750d66542eb0d76 Mon Sep 17 00:00:00 2001 From: Danny Kopping Date: Thu, 30 May 2024 09:50:17 +0200 Subject: [PATCH 3/3] Use "pr list" instead Signed-off-by: Danny Kopping --- .github/workflows/pr-deploy.yaml | 2 +- scripts/deploy-pr.sh | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml index e8dcd73415a5e..b36f2cb9ea45a 100644 --- a/.github/workflows/pr-deploy.yaml +++ b/.github/workflows/pr-deploy.yaml @@ -58,7 +58,7 @@ jobs: run: | set -euo pipefail pr_open=true - if [[ "$(gh pr status --json state --repo=coder/coder --jq '.createdBy[0].state')" != "OPEN" ]]; then + if [[ "$(gh pr list --repo=coder/coder -H $(git rev-parse --abbrev-ref HEAD) --json state --jq '.[].state')" != "OPEN" ]]; then >&2 echo "PR doesn't exist or is closed." pr_open=false fi diff --git a/scripts/deploy-pr.sh b/scripts/deploy-pr.sh index ad32c2d6d4597..daaaba1a34397 100755 --- a/scripts/deploy-pr.sh +++ b/scripts/deploy-pr.sh @@ -71,9 +71,8 @@ fi gh_auth # get branch name and pr number -info=$(gh pr status --repo=coder/coder --json headRefName,number --jq '.createdBy[0]') -branchName=$(echo "${info}" | jq -r .headRefName) -prNumber=$(echo "${info}" | jq -r .number) +branchName=$(git rev-parse --abbrev-ref HEAD) +prNumber=$(gh pr list --repo=coder/coder -H ${branchName} --json number --jq '.[].number') if [[ "$dryRun" = true ]]; then echo "dry run"