From 2ded70b7fcbd36d0674b3142e1f788ef7bdf52d9 Mon Sep 17 00:00:00 2001
From: Michael Lombardi <mlombardi@microsoft.com>
Date: Fri, 1 Apr 2022 15:22:16 -0500
Subject: [PATCH] (MAINT) Add GHA to check if author can target live

This commit adds a new GitHub Action workflow to validate that the
author of a PR can target the `live` branch. It runs whenever a PR
targeting the `live` branch is opened, reopened, or synchronized (new
commits are pushed or the branch is forcibly updated).

It checks the collaborators of the repository for the PR author to see
if they have permissions as a maintainer or administrator; no other
users are authorized to target changes at the `live` branch.

If the author does not have the correct permissions, the check fails.
With the branch protections for the repository set to require this check
when targeting `live`, this will prevent unauthorized collaborators from
accidentally trying to merge their changes to the live site instead of
the working branch.
---
 .github/workflows/targeting-valid-branch.yml | 44 ++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 .github/workflows/targeting-valid-branch.yml

diff --git a/.github/workflows/targeting-valid-branch.yml b/.github/workflows/targeting-valid-branch.yml
new file mode 100644
index 000000000000..2c61f3840757
--- /dev/null
+++ b/.github/workflows/targeting-valid-branch.yml
@@ -0,0 +1,44 @@
+name: Targeting Valid Branch
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+jobs:
+  Test:
+    runs-on: windows-latest
+    defaults:
+      run:
+        shell: pwsh
+    if: github.base_ref == 'live'
+    steps:
+      - name: Authorized to Target Live Branch
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          $Query = @'
+          query author_collaborator_permission($owner: String!, $repo: String!, $actor: String!) {
+            repository(owner: $owner, name: $repo) {
+              collaborators(query: $actor) {
+                edges {
+                  permission
+                }
+              }
+            }
+          }
+          '@
+          $ApiParameters = @(
+            'api', 'graphql'
+            '-F', "owner=${{ github.event.pull_request.base.repo.owner.login}}"
+            '-F', "repo=${{ github.event.pull_request.base.repo.name }}"
+            '-F', "actor=${{ github.event.pull_request.user.login }}"
+            '-f', "query=$Query"
+            '--jq', '.data.repository.collaborators.edges[].permission'
+          )
+          [string[]]$Permissions = gh @ApiParameters
+          if ($Permissions -notcontains 'MAINTAIN' -and $Permissions -notcontains 'ADMIN') {
+            throw "Author does not have permissions to target ${{ github.base_ref }}"
+          } else {
+            echo "Author has permissions to target ${{ github.base_ref }}"
+          }