1- name : Build & test # on both PRs and push to develop/main
1+ name : Build & test # on PRs (including forks) and push to develop/main
22
33on :
4- pull_request :
5- branches : [develop ]
4+ pull_request_target :
5+ types : [opened, synchronize ]
66 push :
77 branches : [develop]
88
99jobs :
1010 build-and-test :
11- name : Build & test
1211 runs-on : ubuntu-latest
1312 steps :
14- - uses : actions/checkout@v4
13+ # Get user permission of workflow triggering actor, return true or false
14+ - name : Get Workflow Actor Permission
15+ id : checkAccess
16+ # Action used: https://github.com/actions-cool/check-user-permission
17+ uses : actions-cool/check-user-permission@v2
18+ with :
19+ require : write
20+ username : ${{ github.triggering_actor }}
21+ env :
22+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
23+ # Check user permission from previous step, exit if false
24+ - name : Check Workflow Actor Permission
25+ if : steps.checkAccess.outputs.require-result == 'false'
26+ run : |
27+ echo "${{ github.triggering_actor }} does not have permissions to run workflows on this repo."
28+ echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
29+ echo "Job originally triggered by ${{ github.actor }}"
30+ exit 1
31+ # Checkout PR code
32+ - name : Checkout code
33+ uses : actions/checkout@v4
34+ with :
35+ # This is dangerous without the first access check
36+ ref : ${{ github.event.pull_request.head.sha }}
1537 - name : Get yarn cache directory path
1638 id : yarn-cache-dir-path
1739 run : echo "::set-output name=dir::$(yarn cache dir)"
@@ -26,14 +48,11 @@ jobs:
2648name : Use NodeJs
2749 uses : actions/setup-node@v3
2850 with :
29- node-version : ' 20.x'
30-
51+ node-version : " 20.x"
3152 - name : Install dependencies
3253 run : yarn install --frozen-lockfile --non-interactive
33-
3454 - name : Run linting
3555 run : yarn lint
36-
3756 - name : Build app
3857 run : yarn build
3958 env :
0 commit comments