Ma77Ball commented on issue #4279:
URL: https://github.com/apache/texera/issues/4279#issuecomment-4057875683
Low-level design diagram for `check-permissions`:
```mermaid
flowchart TD
A([PR opened or synced]) --> B{workflow file<br>modified?}
B -->|no| P([pass, output SHA])
B -->|yes| C{actor has<br>write access?}
C -->|yes| P
C -->|no| F([fail])
L([safe-to-test labeled]) --> D{actor has<br>write access?}
D -->|yes| P
D -->|no| R([fail, remove label])
P --> E[frontend / scala / python<br>checkout at SHA]
```
Low-Level Explanation:
- For regular PRs, it diffs the changed files against the base branch. If
.github/workflows/github-action-build.yml was touched, it checks whether the
actor has write/maintain/admin access. If not, the build is blocked.
- For labeled PRs, when safe-to-test is applied, it checks who applied it.
If that person lacks write access, the label is deleted, and the build is
blocked. This prevents a contributor from applying the label themselves to
bypass the workflow check.
- On SHA, the gate resolves and outputs github.sha (the commit being
tested). All three build jobs, then checkout that exact SHA via ref: ${{
needs.check-permissions.outputs.sha }}, ensuring every job runs against the
same commit regardless of when the jobs start.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
