|
26 | 26 | - 'ci-enable/**' |
27 | 27 | - 'main' |
28 | 28 | pull_request: |
| 29 | + types: [opened, synchronize, reopened] |
29 | 30 | workflow_dispatch: |
30 | 31 |
|
31 | 32 | concurrency: |
32 | 33 | group: ${{ github.workflow }}-${{ github.ref }} |
33 | 34 | cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} |
34 | 35 |
|
35 | 36 | jobs: |
| 37 | + check-permissions: |
| 38 | + runs-on: ubuntu-latest |
| 39 | + steps: |
| 40 | + - name: Checkout |
| 41 | + uses: actions/checkout@v5 |
| 42 | + with: |
| 43 | + fetch-depth: 0 |
| 44 | + - name: Get changed files |
| 45 | + id: changed-files |
| 46 | + run: | |
| 47 | + if [ "${{ github.event_name }}" == "pull_request" ]; then |
| 48 | + CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep -c "^\.github/workflows/github-action-build\.yml$" || true) |
| 49 | + if [ "$CHANGED" -gt "0" ]; then |
| 50 | + echo "any_changed=true" >> $GITHUB_OUTPUT |
| 51 | + else |
| 52 | + echo "any_changed=false" >> $GITHUB_OUTPUT |
| 53 | + fi |
| 54 | + else |
| 55 | + echo "any_changed=false" >> $GITHUB_OUTPUT |
| 56 | + fi |
| 57 | + - name: Check if actor is a committer |
| 58 | + id: check-committer |
| 59 | + if: steps.changed-files.outputs.any_changed == 'true' |
| 60 | + env: |
| 61 | + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 62 | + run: | |
| 63 | + PERMISSION=$(gh api repos/${{ github.repository }}/collaborators/${{ github.actor }}/permission --jq '.permission' 2>/dev/null || echo "none") |
| 64 | + if [[ "$PERMISSION" == "admin" || "$PERMISSION" == "maintain" || "$PERMISSION" == "write" ]]; then |
| 65 | + echo "is_committer=true" >> $GITHUB_OUTPUT |
| 66 | + else |
| 67 | + echo "is_committer=false" >> $GITHUB_OUTPUT |
| 68 | + fi |
| 69 | + - name: Require approval if workflow changed |
| 70 | + if: | |
| 71 | + steps.changed-files.outputs.any_changed == 'true' && |
| 72 | + steps.check-committer.outputs.is_committer == 'false' |
| 73 | + run: | |
| 74 | + echo "::error::This PR modifies the build workflow. A committer must review and re-run this workflow manually." |
| 75 | + exit 1 |
| 76 | +
|
36 | 77 | frontend: |
| 78 | + needs: check-permissions |
37 | 79 | runs-on: ${{ matrix.os }} |
38 | 80 | strategy: |
39 | 81 | matrix: |
|
81 | 123 | run: yarn --cwd frontend run build:ci |
82 | 124 |
|
83 | 125 | scala: |
| 126 | + needs: check-permissions |
84 | 127 | strategy: |
85 | 128 | matrix: |
86 | 129 | os: [ ubuntu-22.04 ] |
|
97 | 140 | POSTGRES_PASSWORD: postgres |
98 | 141 | ports: |
99 | 142 | - 5432:5432 |
100 | | - # Add a health check so steps wait until Postgres is ready |
101 | 143 | options: >- |
102 | 144 | --health-cmd="pg_isready -U postgres" |
103 | 145 | --health-interval=10s |
@@ -145,6 +187,7 @@ jobs: |
145 | 187 | run: sbt test |
146 | 188 |
|
147 | 189 | python: |
| 190 | + needs: check-permissions |
148 | 191 | strategy: |
149 | 192 | matrix: |
150 | 193 | os: [ ubuntu-latest ] |
|
0 commit comments