From ae833d1a2a47d407e2199ef4b47aa499e6c2e5f6 Mon Sep 17 00:00:00 2001
From: Nathaniel Steers <nathaniel.steers@digital.cabinet-office.gov.uk>
Date: Mon, 21 Aug 2023 16:08:38 +0100
Subject: [PATCH] PP-11314 harden release workflow

- check for concourse user when determining release workflow trigger
- prevent other merges when there is an open release pr
---
 .../prevent-merge-if-release-open.yml         | 29 +++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 .github/workflows/prevent-merge-if-release-open.yml

diff --git a/.github/workflows/prevent-merge-if-release-open.yml b/.github/workflows/prevent-merge-if-release-open.yml
new file mode 100644
index 0000000..a31de96
--- /dev/null
+++ b/.github/workflows/prevent-merge-if-release-open.yml
@@ -0,0 +1,29 @@
+name: Check for unmerged release PR
+
+on:
+  pull_request:
+
+permissions:
+  pull-requests: read
+
+jobs:
+  check_merge:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for unmerged release
+        id: check_pr
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const prs = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open'
+            })
+
+            const openRelease = prs.data.find(pr => pr.user.login === 'alphagov-pay-ci-concourse' && pr.state === 'open')
+
+            if (openRelease) {
+              core.setFailed('There is an unmerged release PR, please merge it before merging this PR.')
+            }