fix(gha): allowlist staff, and revert commits (#62894)

2025-12-19 18:18:27 -05:00 · 2025-10-22 10:34:18 +05:30
parent 33839b291e
commit 51c24f67e1
1 changed files with 17 additions and 11 deletions
--- a/.github/workflows/github-no-web-commits.yml
+++ b/.github/workflows/github-no-web-commits.yml
@@ -21,16 +21,22 @@ jobs:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const prAuthor = context.payload.pull_request.user.login;
-            const response = await github.rest.teams
-              .getMembershipForUserInOrg({
-                org: context.repo.owner,
-                team_slug: 'moderators',
-                username: prAuthor
-              })
-              .catch(() => ({ status: 404 }));
-            let isAllowListed = false;
-            if (prAuthor === 'renovate[bot]' || response.status === 200) {
-              isAllowListed = true;
+            const allowedTeams = ['moderators', 'staff'];
+            let isAllowListed = prAuthor === 'renovate[bot]';
+            if (!isAllowListed) {
+              for (const team of allowedTeams) {
+                const response = await github.rest.teams
+                  .getMembershipForUserInOrg({
+                    org: context.repo.owner,
+                    team_slug: team,
+                    username: prAuthor
+                  })
+                  .catch(() => ({ status: 404 }));
+                if (response.status === 200) {
+                  isAllowListed = true;
+                  break;
+                }
+              }
            }
            core.setOutput('is_allow_listed', isAllowListed);

@@ -40,7 +46,7 @@ jobs:
        run: |
          PR_NUMBER=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")
          COMMITS_URL="https://api.github.com/repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER/commits"
-          IS_GITHUB_COMMIT=$(curl --header "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "$COMMITS_URL" | jq '[.[] | .commit.committer.name] | any(.[]; . == "GitHub")')
+          IS_GITHUB_COMMIT=$(curl --header "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "$COMMITS_URL" | jq '[.[] | select(.commit.committer.name == "GitHub") | select(.commit.message | test("revert"; "i") | not)] | length > 0')
          if [ "$IS_GITHUB_COMMIT" = "true" ]; then
            echo "IS_GITHUB_COMMIT=true" >> $GITHUB_ENV
          fi