From b10da363cda8cb45899481cc420313c43219079e Mon Sep 17 00:00:00 2001 From: Catherine Lee Date: Mon, 24 Feb 2025 13:57:57 -0800 Subject: [PATCH 1/2] tc --- torchci/lib/bot/ciflowPushTrigger.ts | 6 ++++++ torchci/test/ciflow-push-trigger.test.ts | 18 ++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/torchci/lib/bot/ciflowPushTrigger.ts b/torchci/lib/bot/ciflowPushTrigger.ts index a52905cadd..ca8b03b332 100644 --- a/torchci/lib/bot/ciflowPushTrigger.ts +++ b/torchci/lib/bot/ciflowPushTrigger.ts @@ -1,4 +1,5 @@ import { Context, Probot } from "probot"; +import { canRunWorkflows } from "./autoLabelBot"; import { CachedConfigTracker, hasApprovedPullRuns, @@ -89,6 +90,11 @@ async function handleSyncEvent( ) { context.log.debug("START Processing sync event"); + if (!(await canRunWorkflows(context as any))) { + context.log.info("PR does not have permissions to run workflows"); + return; + } + const headSha = payload.pull_request.head.sha; const tags = getAllPRTags(context, payload); const promises = tags.map( diff --git a/torchci/test/ciflow-push-trigger.test.ts b/torchci/test/ciflow-push-trigger.test.ts index 1e3b7efc67..951a0d4947 100644 --- a/torchci/test/ciflow-push-trigger.test.ts +++ b/torchci/test/ciflow-push-trigger.test.ts @@ -1,6 +1,7 @@ import ciflowPushTrigger from "lib/bot/ciflowPushTrigger"; import nock from "nock"; import { Probot, ProbotOctokit } from "probot"; +import { mockApprovedWorkflowRuns, mockHasApprovedWorkflowRun, mockPermissions } from "./utils"; nock.disableNetConnect(); @@ -179,6 +180,8 @@ describe("Push trigger integration tests", () => { "ciflow/1", ]; + mockHasApprovedWorkflowRun(payload.repository.full_name); + for (const label of labels) { nock("https://api.github.com") .get( @@ -219,6 +222,21 @@ describe("Push trigger integration tests", () => { await probot.receive({ name: "pull_request", id: "123", payload }); }); + test("synchronization of PR requires permissions", async () => { + const payload = require("./fixtures/push-trigger/pull_request.synchronize"); + mockApprovedWorkflowRuns( + payload.repository.full_name, + payload.pull_request.head.sha, + false + ); + mockPermissions( + payload.repository.full_name, + payload.pull_request.user.login, + "read" + ); + await probot.receive({ name: "pull_request", id: "123", payload }); + }); + test("closure of PR should cause all tags to be removed", async () => { const payload = require("./fixtures/push-trigger/pull_request.closed"); const prNum = payload.pull_request.number; From 63a84695b08e8f570847c05d1cb3a83b16a1dc21 Mon Sep 17 00:00:00 2001 From: Catherine Lee Date: Mon, 24 Feb 2025 14:04:03 -0800 Subject: [PATCH 2/2] tc --- torchci/test/ciflow-push-trigger.test.ts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/torchci/test/ciflow-push-trigger.test.ts b/torchci/test/ciflow-push-trigger.test.ts index 951a0d4947..790805608e 100644 --- a/torchci/test/ciflow-push-trigger.test.ts +++ b/torchci/test/ciflow-push-trigger.test.ts @@ -1,7 +1,11 @@ import ciflowPushTrigger from "lib/bot/ciflowPushTrigger"; import nock from "nock"; import { Probot, ProbotOctokit } from "probot"; -import { mockApprovedWorkflowRuns, mockHasApprovedWorkflowRun, mockPermissions } from "./utils"; +import { + mockApprovedWorkflowRuns, + mockHasApprovedWorkflowRun, + mockPermissions, +} from "./utils"; nock.disableNetConnect();