Feature request: allow certain users
Closed this issue ยท 5 comments
Hi,
I was thinking about using your action to prevent someone from adding changed *.lock
(eg. from yarn, packages, composer) to PRs. This should prevent that someone sneaks in new packages not updated by the core maintainer.
BUT: when I would now configure your action to fail on *.lock
I wouldn't be able myself to create new PRs with updated dependencies. Or dependabot for example.
Not sure if your action was made to cover that use-case, but maybe you would consider to add a feature where certain users are allowed to override the pattern?
Not sure about the wording for the new setting I was thinking about, but I imagined something like that:
- name: Prevent file change
uses: xalvarez/prevent-file-change-action@v1
with:
githubToken: ${{ secrets.GITHUB_TOKEN }}
pattern: .*.lock
maintainer: kevinpapst, xalvarez, dependabot
With that setting applied, the 3 users kevinpapst
, xalvarez
and dependabot
would be allowed to pass the pattern rule.
What do you think?
Edit:
Or is there some other way to achieve the same goal with native Github actions features?
P.S: this is not a bug, the label was added automatically.
Good idea ๐ I can work on that in the weekend or next week
Thanks for the quick and positive response @xalvarez ๐
In the meantime I tried to use this in my action:
if: ${{ github.actor != 'kevinpapst' && github.actor != 'dependabot[bot]' }}
steps:
- name: Prevent file change
uses: xalvarez/prevent-file-change-action@v1
with:
githubToken: ${{ secrets.GITHUB_TOKEN }}
pattern: .*.lock
So only running your action if the user is neither me nor dependabot.
That would achieve the same goal, but:
The skipped
status will lead to problems when branch protection is activated with Status checks are required
. There are workarounds existing, but I believe handling this inside the action is a much cleaner solution.
I can help testing, just give me a ping!
Hi @kevinpapst, I've just released v1.1.0 including the suggested enhancement. I named the input variable trustedAuthors
. If you have time, please try it out ๐
Awesome, thank you so much for quickly adding this new feature ๐
I tried a new PR without a changed lock file and it said
Now I have to wait for a user adding or updating an existing PR for the real fun ๐ and will report back for the use-cases I want this action for: making sure that no-one will submit a changed .lock file.
I'll close this feature request. Thanks again @xalvarez - just shared your great action (which needs much more stars!) on Twitter