WIP

.github/workflows/external-message.yml

@@ -11,6 +11,9 @@ on:
     branches:
       - main
 
+  pull_request:
+    types: [opened, synchronize]
+
 
 jobs:
   comment-on-pr:
@@ -19,73 +22,44 @@ jobs:
       pull-requests: write
 
     steps:
-      # NOTE: The following checks may not be accurate depending on Org or Repo settings. 
-      - name: Check user and potential secret access
+      - uses: actions/checkout@v4
+
+      # We cannot check if the user has access to secrets from this workflow.
+      # However, if they user has access to secrets, the integration-tests.yml workflow will 
+      # write a message. Wait and check if the message is present.
+      # This can fail if the worker pool is out of capacity and the integration-tests.yml workflow
+      # runs after this workflow.
+      - name: Wait for 30 seconds
+        run: sleep 30
+        shell: bash
+
+      - name: Check for integration tests comment
         id: check-secrets-access
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
-          USER_LOGIN="${{ github.event.pull_request.user.login }}"
-          REPO_OWNER="${{ github.repository_owner }}"
-          REPO_NAME="${{ github.event.repository.name }}"
+          comment_found=$(gh pr view $PR_NUMBER --json comments \
+            --jq '.comments[].body | select(startswith("<!-- INTEGRATION_TESTS -->"))' \
+            --repo ${{ github.repository }})
           
-          echo "Pull request opened by: $USER_LOGIN"
-          
-          # Check if PR is from a fork
-          IS_FORK=$([[ "${{ github.event.pull_request.head.repo.full_name }}" != "${{ github.repository }}" ]] && echo "true" || echo "false")
-          
-          HAS_ACCESS="false"
-          
-          # Check user's permission level on the repository
-          USER_PERMISSION=$(gh api repos/$REPO_OWNER/$REPO_NAME/collaborators/$USER_LOGIN/permission --jq '.permission')
-          
-          if [[ "$USER_PERMISSION" == "admin" || "$USER_PERMISSION" == "write" ]]; then
-            HAS_ACCESS="true"
-          elif [[ "$USER_PERMISSION" == "read" ]]; then
-            # For read access, we need to check if the user has been explicitly granted secret access
-            # This information is not directly available via API, so we'll make an assumption
-            # that read access does not imply secret access
-            HAS_ACCESS="false"
-          fi
-          
-          # Check if repo owner is an organization
-          IS_ORG=$(gh api users/$REPO_OWNER --jq '.type == "Organization"')
-          
-          if [[ "$IS_ORG" == "true" && "$HAS_ACCESS" == "false" ]]; then
-            # Check if user is a member of any team with write or admin access to the repo
-            TEAMS_WITH_ACCESS=$(gh api repos/$REPO_OWNER/$REPO_NAME/teams --jq '.[] | select(.permission == "push" or .permission == "admin") | .slug')
-            for team in $TEAMS_WITH_ACCESS; do
-              IS_TEAM_MEMBER=$(gh api orgs/$REPO_OWNER/teams/$team/memberships/$USER_LOGIN --silent && echo "true" || echo "false")
-              if [[ "$IS_TEAM_MEMBER" == "true" ]]; then
-                HAS_ACCESS="true"
-                break
-              fi
-            done
-          fi
-          
-          # If it's a fork, set HAS_ACCESS to false regardless of other checks
-          if [[ "$IS_FORK" == "true" ]]; then
-            HAS_ACCESS="false"
-          fi
-          
-          echo "has_secrets_access=$HAS_ACCESS" >> $GITHUB_OUTPUT
-          if [[ "$HAS_ACCESS" == "true" ]]; then
-            echo "User $USER_LOGIN likely has access to secrets"
+          if [ -n "$comment_found" ]; then
+            echo "has_secrets_access=true" >> $GITHUB_OUTPUT
+            echo "Integration tests comment found"
           else
-            echo "User $USER_LOGIN likely does not have access to secrets"
+            echo "has_secrets_access=false" >> $GITHUB_OUTPUT
+            echo "Integration tests comment not found"
           fi
 
-
-      - uses: actions/checkout@v4
-
+      # If not found, write a comment for manual execution
       - name: Delete old comments
         if: steps.check-secrets-access.outputs.has_secrets_access != 'true'
         env:
            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
             # Delete previous comment if it exists
             previous_comment_ids=$(gh api "repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
-              --jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS -->")) | .id')
+              --jq '.[] | select(.body | startswith("<!-- INTEGRATION_TESTS_MANUAL -->")) | .id')
             echo "Previous comment IDs: $previous_comment_ids"
             # Iterate over each comment ID and delete the comment
             if [ ! -z "$previous_comment_ids" ]; then
@@ -102,7 +76,7 @@ jobs:
           COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
         run: |
           gh pr comment ${{ github.event.pull_request.number }} --body \
-          "<!-- INTEGRATION_TESTS -->
+          "<!-- INTEGRATION_TESTS_MANUAL -->
           Run integration tests manually:
           [go/deco-tests-run/sdk-java](https://go/deco-tests-run/sdk-java)
 

.github/workflows/integration-tests.yml

@@ -20,7 +20,7 @@ jobs:
                 echo "GITHUB_TOKEN is empty. User has no access to tokens."
                 echo "::set-output name=has_token::false"
             else
-                echo "GITHUB_TOKEN is set. User has no access to tokens."
+                echo "GITHUB_TOKEN is set. User has access to tokens."
                 echo "::set-output name=has_token::true"
             fi