bot: require admin or maintain role for users

awslabs · Jul 17, 2024 · 0eeb2a5 · 0eeb2a5
1 parent e9ed61b
commit 0eeb2a5
Showing 1 changed file with 26 additions and 4 deletions.
diff --git a/.github/actions/bot/index.js b/.github/actions/bot/index.js
@@ -10,10 +10,7 @@ async function bot(core, github, context, uuid) {
     }
     console.log("Comment found in payload");
 
-    // user's org membership must be public for the author_association to be MEMBER
-    // go to the org's member page, find yourself, and set the visibility to public
-    const author = payload.comment.user.login;
-    const authorized = ["OWNER", "MEMBER"].includes(payload.comment.author_association);
+    const authorized = await isUserAuthorized(github, payload);
     if (!authorized) {
         console.log(`Comment author is not authorized: ${author}`);
         return;
@@ -52,6 +49,31 @@ async function bot(core, github, context, uuid) {
     }
 }
 
+/**
+ * @returns true if the author of this payload's comment has both:
+ * - an OWNER or MEMBER of the repository's organization
+ * - the admin or maintain roles in the repository
+ */
+async function isUserAuthorized(github, payload) {
+    // user's org membership must be public for the author_association to be MEMBER
+    // go to the org's member page, find yourself, and set the visibility to public
+    const author = payload.comment.user.login;
+    if (!["OWNER", "MEMBER"].includes(payload.comment.author_association)) {
+        console.log(`Comment author association is not OWNER or MEMBER: ${author}`);
+        return false;
+    }
+    const authorPermissionLevel = await github.rest.repos.getCollaboratorPermissionLevel({
+        owner: payload.repository.owner.login,
+        repo: payload.repository.name,        
+        username: author
+    });
+    if (!['admin', 'maintain'].contains(authorPermissionLevel.data.role_name)) {
+        console.log(`Comment author does not have the admin or maintain role for the repository: ${author}`);
+        return false;
+    }
+    return true;
+}
+
 // replyToCommand creates a comment on the same PR that triggered this workflow
 function replyToCommand(github, payload, reply) {
     github.rest.issues.createComment({