From 1d4db79caef1e1a13f60e53514b92d6f4784116f Mon Sep 17 00:00:00 2001
From: Jiri Konecny <jkonecny@redhat.com>
Date: Nov 05 2020 12:17:58 +0000
Subject: Add rhel unit-tests workflow for pull_request_trigger back


This is simplification for users with write access to have tests started even
without the comment so it will work as expected.

These tests will be no-op for external contributors. For them only first job is
executed and this job only getting information but not testing anything.

This workflow file is taken from master branch where it runs on comment. We did
a few modifications to it:
- use pull_request_target trigger so it will be automatically called when code
  is updated
- rename workflow to avoid collisions and make it crystal clear that this will
  run only for owners
- cleanup unnecessary code; we don't need any API calls except checking for user
  privileges everything else could be read from the trigger event data directly

Related: rhbz#1885635

---

diff --git a/.github/workflows/owner-validate-rhel-8.yml b/.github/workflows/owner-validate-rhel-8.yml
new file mode 100644
index 0000000..06732dd
--- /dev/null
+++ b/.github/workflows/owner-validate-rhel-8.yml
@@ -0,0 +1,55 @@
+# Run rhel-8 unit tests for organization members only.
+# This avoids running untrusted and unreviewed code on self-hosted runners.
+name: owner-unit-tests-rhel-8
+on: [pull_request_target]
+
+jobs:
+  pr-info:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Query comment author repository permissions
+        uses: octokit/request-action@v2.x
+        id: user_permission
+        with:
+          route: GET /repos/${{ github.repository }}/collaborators/${{ github.event.sender.login }}/permission
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # restrict running of tests to users with admin or write permission for the repository
+      # see https://docs.github.com/en/free-pro-team@latest/rest/reference/repos#get-repository-permissions-for-a-user
+      # store output if user is allowed in allowed_user job output so it has to be checked in downstream job
+      - name: Check if user does have correct permissions
+        if: contains('admin write', fromJson(steps.user_permission.outputs.data).permission)
+        id: check_user_perm
+        run: |
+          echo "User '${{ github.event.sender.login }}' has permission '${{ fromJson(steps.user_permission.outputs.data).permission }}' allowed values: 'admin', 'write'"
+          echo "::set-output name=allowed_user::true"
+
+    outputs:
+      allowed_user: ${{ steps.check_user_perm.outputs.allowed_user }}
+
+  # Run unit tests only if user have write or admin rights
+  unit-tests:
+    needs: pr-info
+    if: needs.pr-info.outputs.allowed_user == 'true'
+    runs-on: [self-hosted, ci-tasks, rhel-8]
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Run test
+        run: |
+          ./autogen.sh
+          ./configure
+          make
+          # put the log in the output, where it's easy to read and link to
+          make ci || { cat test-logs/test-suite.log; exit 1; }
+
+      - name: Upload test and coverage logs
+        if: always()
+        uses: actions/upload-artifact@v2
+        with:
+          name: logs
+          path: test-logs/*