PP-11314 harden release workflow

- check for concourse user when determining release workflow trigger - prevent other merges when there is an open release pr
alphagov · Aug 21, 2023 · ae833d1 · ae833d1
1 parent 010a7d9
commit ae833d1
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/.github/workflows/prevent-merge-if-release-open.yml b/.github/workflows/prevent-merge-if-release-open.yml
@@ -0,0 +1,29 @@
+name: Check for unmerged release PR
+
+on:
+  pull_request:
+
+permissions:
+  pull-requests: read
+
+jobs:
+  check_merge:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for unmerged release
+        id: check_pr
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const prs = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open'
+            })
+
+            const openRelease = prs.data.find(pr => pr.user.login === 'alphagov-pay-ci-concourse' && pr.state === 'open')
+
+            if (openRelease) {
+              core.setFailed('There is an unmerged release PR, please merge it before merging this PR.')
+            }