From 56d45fc047901533401928ad6dfbc46863420a10 Mon Sep 17 00:00:00 2001
From: Hyungu Kang | Airen <gusrn1423@naver.com>
Date: Fri, 23 Aug 2024 16:12:16 +0900
Subject: [PATCH] ci: add permission check to publish workflow (#351)

## Changes
- Added validation step to package-publish workflow

ticket:

## Additional Notes
-

## Checklist
Before requesting a code review, please check the following:
- [x] **[Required]** CI has passed all checks.
- [x] **[Required]** A self-review has been conducted to ensure there
are no minor mistakes.
- [x] **[Required]** Unnecessary comments/debugging code have been
removed.
- [x] **[Required]** All requirements specified in the ticket have been
accurately implemented.
- [ ] Ensure the ticket has been updated with the sprint, status, and
story points.

---------

Co-authored-by: Liam Hongman Cho <liam.cho@sendbird.com>
---
 .github/workflows/package-publish.yml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/.github/workflows/package-publish.yml b/.github/workflows/package-publish.yml
index b97ddcbb5..ce38904e2 100644
--- a/.github/workflows/package-publish.yml
+++ b/.github/workflows/package-publish.yml
@@ -27,6 +27,33 @@ jobs:
         with:
           node-version: 18.x
           cache: 'yarn'
+      - name: 'validation'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const permission = await github.rest.repos.getCollaboratorPermissionLevel({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              username: context.actor
+            });
+            if (permission.data.permission !== 'admin' && permission.data.permission !== 'write') {
+              core.setFailed(`User ${context.actor} does not have write or admin permissions to this repository.`);
+            }
+            const currentBranch = context.ref.replace('refs/heads/', '');
+            if (currentBranch !== `release/v${{ github.event.inputs.version }}`) {
+              core.setFailed(`Current branch ${currentBranch} does not match release/v${{ github.event.inputs.version }}`);
+            }
+            const pullRequests = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              sort: 'created',
+              direction: 'desc',
+            });
+            const pr = pullRequests.data.find(pr => pr.head.ref === currentBranch && pr.base.ref === 'develop');
+            if (!pr) {
+              core.setFailed(`No open pull request found for ${currentBranch} to develop`);
+            }
       - name: Check if the release branch exists
         run: |
           set -x