From 73df5decce09f82a64f4191879903b4d2c0f4467 Mon Sep 17 00:00:00 2001
From: Alex Babrykovich <abobrikovich@gmail.com>
Date: Tue, 16 Jul 2024 08:18:29 +0300
Subject: [PATCH] ci: skip sonarqube step for PR from form #109 (#156)

* ci: skip sonarqube step for PR from form #109

* ci: use fresh AVD from benchmark tests (#157)

* refactor: build gradle (#161)

* chore: split big sdk/build.gradle to several applied gradle sripts

* chore: upload all outputs and reports on benchmark failure

* ci: move timeout restoriction to step level and reduce it to 20

* debug: enable artifact upload for success bench

* fix: ignore HCaptchaWebViewHelperTest.benchmarkWebViewLoad benchmark

* ci: skip sonarqube step for PR from form #109

* ci: migrate to own check-user-permission action

* fix: bad prior merge

* fix: add value to outputs of check-user-permission action
---
 .../actions/check-user-permission/action.yml  | 50 +++++++++++++++++++
 .github/workflows/ci.yml                      | 37 +++++++++++++-
 2 files changed, 85 insertions(+), 2 deletions(-)
 create mode 100644 .github/actions/check-user-permission/action.yml

diff --git a/.github/actions/check-user-permission/action.yml b/.github/actions/check-user-permission/action.yml
new file mode 100644
index 0000000..521b28f
--- /dev/null
+++ b/.github/actions/check-user-permission/action.yml
@@ -0,0 +1,50 @@
+name: Check User Permission
+description: Checks if the user has the required permission level.
+
+inputs:
+  token:
+    description: Secret GitHub API token to use for making API requests.
+    default: ${{ github.token }}
+    required: true
+  require:
+    description: 'Permission level to check against (admin, write, read)'
+    default: write
+    required: true
+
+outputs:
+  granted:
+    description: 'true if the user has the required permission, false otherwise'
+    value: ${{ steps.check.outputs.granted }}
+  permission:
+    description: actual user permission (admin, write, read)
+    value: ${{ steps.check.outputs.permission }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Check user permission
+      id: check
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+        OWNER: ${{ github.repository_owner }}
+        REPO: ${{ github.event.repository.name }}
+        USERNAME: ${{ github.triggering_actor }}
+        PERMISSION: ${{ inputs.require }}
+      run: |
+        # Fetch the collaborator permission level using the GitHub API
+        response=$(curl -s -H "Authorization: token $GITHUB_TOKEN" \
+                        "https://api.github.com/repos/$OWNER/$REPO/collaborators/$USERNAME/permission")
+
+        # Extract the permission level from the JSON response
+        user_permission=$(echo $response | jq -r '.permission')
+        echo "permission=${user_permission}" >> $GITHUB_OUTPUT
+
+        # Compare the permission level with the required permission
+        if [[ "$user_permission" == "$PERMISSION" || ( "$user_permission" == "admin" && "$PERMISSION" == "write" ) ]]; then
+          echo "User has the required permission."
+          echo "granted=true" >> $GITHUB_OUTPUT
+        else
+          echo "User does not have the required permission."
+          echo "granted=false" >> $GITHUB_OUTPUT
+        fi
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 31978dc..f19d14f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,6 +12,7 @@ on:
   pull_request:
     paths-ignore:
       - '**.md'
+  workflow_dispatch:
 
 env:
   JAVA_VERSION: '17'
@@ -197,22 +198,54 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+      - uses: ./.github/actions/check-user-permission
+        id: write_access
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
       - uses: actions/setup-java@v4
+        if: steps.write_access.outputs.granted == 'true'
         with:
           java-version: ${{ env.JAVA_VERSION }}
           distribution: adopt
       - uses: gradle/actions/setup-gradle@v3
+        if: steps.write_access.outputs.granted == 'true'
         with:
           cache-read-only: false
       - uses: actions/cache@v4
+        if: steps.write_access.outputs.granted == 'true'
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
-      - env:
+      - run: ./gradlew sonarqube --info
+        if: steps.write_access.outputs.granted == 'true'
+        env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        run: ./gradlew sonarqube --info
+      - uses: peter-evans/find-comment@v3
+        id: find_comment
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          body-includes: SonarQube Execution
+      - uses: peter-evans/create-or-update-comment@v4
+        if: steps.find_comment.outputs.comment-id == null && steps.write_access.outputs.granted == 'false'
+        with:
+          body: |
+            SonarQube Execution Skipped. `${{ github.triggering_actor }}` does not have permissions on this repo. Maintainers will rerun it manually
+          edit-mode: replace
+          comment-id: ${{ steps.find_comment.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: peter-evans/create-or-update-comment@v4
+        if: steps.find_comment.outputs.comment-id != null && steps.write_access.outputs.granted == 'true'
+        with:
+          body: |
+            
+            SonarQube Execution Completed.
+          edit-mode: append
+          comment-id: ${{ steps.find_comment.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          token: ${{ secrets.GITHUB_TOKEN }}
 
   size-report:
     name: 'Diffuse report'