@@ -33,19 +33,48 @@ concurrency:
3333 group : ${{ github.workflow }}-${{ github.event.number || github.event.pull_request.head.ref }}
3434 cancel-in-progress : true
3535
36+ env :
37+ GH_TEAM : rhdh
38+ GH_ORGANIZATION : redhat-developer
3639jobs :
40+ check-commit-author :
41+ runs-on : ubuntu-latest
42+ outputs :
43+ is_authorized : ${{ steps.check-team-membership.outputs.is_active_member }}
44+ steps :
45+ - name : Generate GitHub App Token
46+ id : app-token
47+ uses : actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
48+ with :
49+ app-id : ${{ secrets.RHDH_GITHUB_APP_ID }}
50+ private-key : ${{ secrets.RHDH_GITHUB_APP_PRIVATE_KEY }}
51+ - name : Check team membership
52+ uses : redhat-developer/rhdh/.github/actions/check-author@main
53+ id : check-team-membership
54+ with :
55+ team : ${{ env.GH_TEAM }}
56+ organization : ${{ env.GH_ORGANIZATION }}
57+ gh_token : ${{ steps.app-token.outputs.token }}
58+ author : ${{ github.event.pull_request.user.login }}
59+
3760 authorize :
38- # The 'external' environment is configured with the odo-maintainers team as required reviewers.
39- # All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks.
40- # see list of approvers in OWNERS file
61+ # The 'external' environment is configured with the rhdh-content team as required reviewers.
62+ # All the subsequent jobs in this workflow 'need' this job, which will require manual approval for PRs coming from external forks outside of the rhdh team
63+ needs : check-commit-author
4164 environment :
42- ${{ (github.event.pull_request.head.repo.full_name == github.repository ||
43- contains(fromJSON('["gazarenkov","jianrongzhang89","kadel","nickboldt","rm3l"]'), github.actor)) && 'internal' || 'external' }}
65+ ${{ (needs.check-commit-author.outputs.is_authorized == 'true' || github.event.pull_request.head.repo.full_name == github.repository) && 'internal' || 'external' }}
4466 runs-on : ubuntu-latest
4567 steps :
46- - name : approved
68+ - name : Check if internal PR
69+ id : check
4770 run : |
48- echo "✓"
71+ if [[ "${{ needs.check-commit-author.outputs.is_authorized }}" == "true" ]]; then
72+ echo "✓ Commit author is in rhdh team - using internal environment"
73+ elif [[ "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.repository }}" ]]; then
74+ echo "✓ Internal PR (not from fork) - using internal environment"
75+ else
76+ echo "✓ External PR from fork from non-rhdh team member - using external environment for security"
77+ fi
4978
5079adoc_build :
5180 name : Ccutil Build For PR branch preview
@@ -57,12 +86,19 @@ jobs:
5786 pull-requests : write
5887
5988 steps :
60- - name : Checkout
89+ - name : Checkout base branch to get trusted build script
90+ uses : actions/checkout@v4
91+ with :
92+ ref : ${{ github.event.pull_request.base.ref }}
93+ path : trusted-scripts
94+
95+ - name : Checkout PR branch for content to build
6196 uses : actions/checkout@v4
6297 with :
6398 fetch-depth : 0
6499 ref : ${{ github.event.pull_request.head.ref }}
65100 repository : ${{ github.event.pull_request.head.repo.full_name }}
101+ path : pr-content
66102
67103 - name : Setup environment
68104 run : |
@@ -75,10 +111,13 @@ jobs:
75111name : Build guides and indexes
76112 run : |
77113 echo "Building PR ${{ github.event.pull_request.number }}"
114+ cp trusted-scripts/build/scripts/build-ccutil.sh pr-content/build/scripts/build-ccutil.sh
115+ cd pr-content
78116 build/scripts/build-ccutil.sh -b "pr-${{ github.event.number }}"
79117
80118name : Pull from origin before pushing (if possible)
81119 run : |
120+ cd pr-content
82121 /usr/bin/git pull origin gh-pages || true
83122
84123# repo must be public for this to work
89128 github_token : ${{ secrets.RHDH_BOT_TOKEN }}
90129 publish_branch : gh-pages
91130 keep_files : true
92- publish_dir : ./titles-generated
131+ publish_dir : ./pr-content/ titles-generated
93132
94133 - name : PR comment with doc preview, replacing existing comments with a new one each time
95134 shell : bash
0 commit comments