Unverified Commit 3a268acb authored by Derek Nola's avatar Derek Nola Committed by GitHub

Check k3s-io organization membership not team membership for trivy scans (#10940)

parent 6731f4a7
...@@ -14,19 +14,20 @@ jobs: ...@@ -14,19 +14,20 @@ jobs:
- name: Check if comment author is a member of k3s-dev team - name: Check if comment author is a member of k3s-dev team
uses: actions/github-script@v7 uses: actions/github-script@v7
with: with:
# Catch 404 errors if user is not a member of the organization
# 302 is expected as the GHA is not a member of the organization
# Users must be set their membership to public for this to work
# https://github.com/orgs/k3s-io/people
script: | script: |
const org = context.repo.owner; const org = context.repo.owner;
const team_slug = 'k3s-dev';
const username = context.payload.comment.user.login; const username = context.payload.comment.user.login;
try {
const { data: membership } = await github.rest.teams.getMembershipForUserInOrg({ const result = await github.rest.orgs.checkMembershipForUser({
org, org,
team_slug, username,
username });
}); } catch (error) {
core.setFailed(`User ${username} is not an public member of the ${org} organization`);
if (membership.state !== 'active') {
core.setFailed(`User ${username} is not an active member of the ${team_slug} team`);
} }
- name: Checkout PR code - name: Checkout PR code
uses: actions/checkout@v4 uses: actions/checkout@v4
...@@ -87,6 +88,8 @@ jobs: ...@@ -87,6 +88,8 @@ jobs:
if: always() && needs.trivy_scan.result == 'failure' if: always() && needs.trivy_scan.result == 'failure'
permissions: permissions:
pull-requests: write pull-requests: write
env:
GH_TOKEN: ${{ github.token }}
steps: steps:
- name: Report Failure - name: Report Failure
run: | run: |
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment