summaryrefslogtreecommitdiffstats
path: root/services/actions/notifier_helper.go
diff options
context:
space:
mode:
Diffstat (limited to 'services/actions/notifier_helper.go')
-rw-r--r--services/actions/notifier_helper.go48
1 files changed, 46 insertions, 2 deletions
diff --git a/services/actions/notifier_helper.go b/services/actions/notifier_helper.go
index df67d2fa11..ef63b8cf94 100644
--- a/services/actions/notifier_helper.go
+++ b/services/actions/notifier_helper.go
@@ -153,7 +153,7 @@ func notify(ctx context.Context, input *notifyInput) error {
}
for id, content := range workflows {
- run := actions_model.ActionRun{
+ run := &actions_model.ActionRun{
Title: strings.SplitN(commit.CommitMessage, "\n", 2)[0],
RepoID: input.Repo.ID,
OwnerID: input.Repo.OwnerID,
@@ -166,12 +166,19 @@ func notify(ctx context.Context, input *notifyInput) error {
EventPayload: string(p),
Status: actions_model.StatusWaiting,
}
+ if need, err := ifNeedApproval(ctx, run, input.Repo, input.Doer); err != nil {
+ log.Error("check if need approval for repo %d with user %d: %v", input.Repo.ID, input.Doer.ID, err)
+ continue
+ } else {
+ run.NeedApproval = need
+ }
+
jobs, err := jobparser.Parse(content)
if err != nil {
log.Error("jobparser.Parse: %v", err)
continue
}
- if err := actions_model.InsertRun(ctx, &run, jobs); err != nil {
+ if err := actions_model.InsertRun(ctx, run, jobs); err != nil {
log.Error("InsertRun: %v", err)
continue
}
@@ -234,3 +241,40 @@ func notifyPackage(ctx context.Context, sender *user_model.User, pd *packages_mo
}).
Notify(ctx)
}
+
+func ifNeedApproval(ctx context.Context, run *actions_model.ActionRun, repo *repo_model.Repository, user *user_model.User) (bool, error) {
+ // don't need approval if it's not a fork PR
+ if !run.IsForkPullRequest {
+ return false, nil
+ }
+
+ // always need approval if the user is restricted
+ if user.IsRestricted {
+ log.Trace("need approval because user %d is restricted", user.ID)
+ return true, nil
+ }
+
+ // don't need approval if the user can write
+ if perm, err := access_model.GetUserRepoPermission(ctx, repo, user); err != nil {
+ return false, fmt.Errorf("GetUserRepoPermission: %w", err)
+ } else if perm.CanWrite(unit_model.TypeActions) {
+ log.Trace("do not need approval because user %d can write", user.ID)
+ return false, nil
+ }
+
+ // don't need approval if the user has been approved before
+ if count, err := actions_model.CountRuns(ctx, actions_model.FindRunOptions{
+ RepoID: repo.ID,
+ TriggerUserID: user.ID,
+ Approved: true,
+ }); err != nil {
+ return false, fmt.Errorf("CountRuns: %w", err)
+ } else if count > 0 {
+ log.Trace("do not need approval because user %d has been approved before", user.ID)
+ return false, nil
+ }
+
+ // otherwise, need approval
+ log.Trace("need approval because it's the first time user %d triggered actions", user.ID)
+ return true, nil
+}
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-19 16:42:05 +0000