1
name: PR from External Contribution Detector
13
(github.event.pull_request.author_association != 'OWNER') &&
14
(github.event.pull_request.author_association != 'COLLABORATOR') &&
15
(github.event.pull_request.author_association != 'MEMBER')
17
runs-on: ubuntu-latest
22
# Detect if the secret 'CHECK_TEAM_ORG_APP_ID' is set. If it's not set, don't
23
# bother running this GH workflow.
24
- name: Check if CHECK_TEAM_ORG_APP_ID is set in github secrets
27
echo "is_CHECK_TEAM_ORG_APP_ID_set: ${{ secrets.CHECK_TEAM_ORG_APP_ID != '' }}"
28
echo is_CHECK_TEAM_ORG_APP_ID_set="${{ secrets.CHECK_TEAM_ORG_APP_ID != '' }}" >> $GITHUB_OUTPUT
31
# Get a token with the read:org permissions so that the GH action
32
# can read the team membership for a user. We need to do this over a
33
# GH app because GH actions don't have support for these type of
35
if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }}
37
uses: cilium/actions-app-token@61a6271ce92ba02f49bf81c755685d59fb25a59a # v0.21.1
39
APP_PEM: ${{ secrets.CHECK_TEAM_ORG_PEM }}
40
APP_ID: ${{ secrets.CHECK_TEAM_ORG_APP_ID }}
42
- name: Check author association
43
if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }}
44
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
45
id: author_association
46
# https://docs.github.com/en/rest/orgs/members?apiVersion=2022-11-28#check-organization-membership-for-a-user
48
github-token: ${{ steps.get_token.outputs.app_token }}
51
const result = await github.rest.orgs.checkMembershipForUser({
52
org: "${{ github.repository_owner }}",
53
username: "${{github.event.pull_request.user.login}}",
55
return result.status == 204;
60
- name: Print author association
61
if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' }}
63
echo author_association_from_event=${{ github.event.pull_request.author_association }}
64
echo author_association_from_api=${{ steps.author_association.outputs.result }}
67
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
68
if: ${{ steps.check_secret.outputs.is_CHECK_TEAM_ORG_APP_ID_set == 'true' && steps.author_association.outputs.result != 'true' }}
71
github.rest.issues.addLabels({
72
issue_number: context.issue.number,
73
owner: context.repo.owner,
74
repo: context.repo.repo,
75
labels: ["kind/community-contribution"]