Add Azure Network Security Perimeter (NSP) support #2711
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Trigger deployment tests from PR comments | |
| # | |
| # Usage: Comment `/deployment-test` on a PR | |
| # | |
| # This workflow validates the commenter is an org member and triggers | |
| # the deployment-tests.yml workflow with the PR context. | |
| # | |
| name: Deployment Test Command | |
| on: | |
| issue_comment: | |
| types: [created] | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| actions: write # To trigger workflows | |
| jobs: | |
| deployment-test: | |
| # Only run when the comment is exactly /deployment-test on a PR | |
| if: >- | |
| ${{ | |
| github.event.comment.body == '/deployment-test' && | |
| github.event.issue.pull_request && | |
| github.repository_owner == 'microsoft' | |
| }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check org membership | |
| id: check_membership | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| const commenter = context.payload.comment.user.login; | |
| try { | |
| // Check if user is a member of the dotnet org | |
| const { status } = await github.rest.orgs.checkMembershipForUser({ | |
| org: 'dotnet', | |
| username: commenter | |
| }); | |
| if (status === 204 || status === 302) { | |
| core.info(`✅ ${commenter} is a member of dotnet org`); | |
| core.setOutput('is_member', 'true'); | |
| return; | |
| } | |
| } catch (error) { | |
| if (error.status === 404) { | |
| core.warning(`❌ ${commenter} is not a member of dotnet org`); | |
| core.setOutput('is_member', 'false'); | |
| // Post a comment explaining the restriction | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| body: `@${commenter} The \`/deployment-test\` command is restricted to dotnet org members for security reasons (it deploys to real Azure infrastructure).` | |
| }); | |
| return; | |
| } | |
| throw error; | |
| } | |
| - name: Get PR details | |
| if: steps.check_membership.outputs.is_member == 'true' | |
| id: pr | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| const { data: pr } = await github.rest.pulls.get({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| pull_number: context.issue.number | |
| }); | |
| core.setOutput('number', pr.number); | |
| core.setOutput('head_sha', pr.head.sha); | |
| core.setOutput('head_ref', pr.head.ref); | |
| - name: Trigger deployment tests | |
| if: steps.check_membership.outputs.is_member == 'true' | |
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
| with: | |
| script: | | |
| // Dispatch from the PR's head ref to test the PR's code changes. | |
| // Security: Org membership check is the security boundary - only trusted | |
| // dotnet org members can trigger this workflow. | |
| // Note: The triggered workflow posts its own "starting" comment with the run URL. | |
| await github.rest.actions.createWorkflowDispatch({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| workflow_id: 'deployment-tests.yml', | |
| ref: '${{ steps.pr.outputs.head_ref }}', | |
| inputs: { | |
| pr_number: '${{ steps.pr.outputs.number }}' | |
| } | |
| }); | |
| core.info('✅ Triggered deployment-tests.yml workflow'); |