ci: pr build

.github/scripts/pr-build-check.ts

@@ -0,0 +1,205 @@
+/**
+ * PR Build Check Script
+ * 检查 PR 构建触发条件和用户权限
+ *
+ * 环境变量:
+ * - GITHUB_TOKEN: GitHub API Token
+ * - GITHUB_EVENT_NAME: 事件名称
+ * - GITHUB_EVENT_PATH: 事件 payload 文件路径
+ * - GITHUB_REPOSITORY: 仓库名称 (owner/repo)
+ * - GITHUB_OUTPUT: 输出文件路径
+ */
+
+import { readFileSync } from 'node:fs';
+import { GitHubAPI, getEnv, getRepository, setOutput, PullRequest } from './lib/github.ts';
+
+// ============== 类型定义 ==============
+
+interface GitHubPayload {
+  pull_request?: PullRequest;
+  issue?: {
+    number: number;
+    pull_request?: object;
+  };
+  comment?: {
+    body: string;
+    user: { login: string; };
+  };
+}
+
+interface CheckResult {
+  should_build: boolean;
+  pr_number?: number;
+  pr_sha?: string;
+  pr_head_repo?: string;
+  pr_head_ref?: string;
+}
+
+// ============== 权限检查 ==============
+
+async function checkUserPermission (
+  github: GitHubAPI,
+  owner: string,
+  repo: string,
+  username: string
+): Promise<boolean> {
+  // 方法1：检查仓库协作者权限
+  try {
+    const permission = await github.getCollaboratorPermission(owner, repo, username);
+    if (['admin', 'write', 'maintain'].includes(permission)) {
+      console.log(`✓ User ${username} has ${permission} permission`);
+      return true;
+    }
+    console.log(`✗ User ${username} has ${permission} permission (insufficient)`);
+  } catch (e) {
+    console.log(`✗ Failed to get collaborator permission: ${(e as Error).message}`);
+  }
+
+  // 方法2：检查组织成员身份
+  try {
+    const repoInfo = await github.getRepository(owner, repo);
+    if (repoInfo.owner.type === 'Organization') {
+      const isMember = await github.checkOrgMembership(owner, username);
+      if (isMember) {
+        console.log(`✓ User ${username} is organization member`);
+        return true;
+      }
+      console.log(`✗ User ${username} is not organization member`);
+    }
+  } catch (e) {
+    console.log(`✗ Failed to check org membership: ${(e as Error).message}`);
+  }
+
+  return false;
+}
+
+// ============== 事件处理 ==============
+
+function handlePullRequestTarget (payload: GitHubPayload): CheckResult {
+  const pr = payload.pull_request;
+
+  if (!pr) {
+    console.log('✗ No pull_request in payload');
+    return { should_build: false };
+  }
+
+  if (pr.state !== 'open') {
+    console.log(`✗ PR is not open (state: ${pr.state})`);
+    return { should_build: false };
+  }
+
+  console.log(`✓ PR #${pr.number} is open, triggering build`);
+  return {
+    should_build: true,
+    pr_number: pr.number,
+    pr_sha: pr.head.sha,
+    pr_head_repo: pr.head.repo.full_name,
+    pr_head_ref: pr.head.ref,
+  };
+}
+
+async function handleIssueComment (
+  payload: GitHubPayload,
+  github: GitHubAPI,
+  owner: string,
+  repo: string
+): Promise<CheckResult> {
+  const { issue, comment } = payload;
+
+  if (!issue || !comment) {
+    console.log('✗ No issue or comment in payload');
+    return { should_build: false };
+  }
+
+  // 检查是否是 PR 的评论
+  if (!issue.pull_request) {
+    console.log('✗ Comment is not on a PR');
+    return { should_build: false };
+  }
+
+  // 检查是否是 /build 命令
+  if (!comment.body.trim().startsWith('/build')) {
+    console.log('✗ Comment is not a /build command');
+    return { should_build: false };
+  }
+
+  console.log(`→ /build command from @${comment.user.login}`);
+
+  // 获取 PR 详情
+  const pr = await github.getPullRequest(owner, repo, issue.number);
+
+  // 检查 PR 状态
+  if (pr.state !== 'open') {
+    console.log(`✗ PR is not open (state: ${pr.state})`);
+    await github.createComment(owner, repo, issue.number, '⚠️ 此 PR 已关闭，无法触发构建。');
+    return { should_build: false };
+  }
+
+  // 检查用户权限
+  const username = comment.user.login;
+  const hasPermission = await checkUserPermission(github, owner, repo, username);
+
+  if (!hasPermission) {
+    console.log(`✗ User ${username} has no permission`);
+    await github.createComment(
+      owner,
+      repo,
+      issue.number,
+      `⚠️ @${username} 您没有权限使用 \`/build\` 命令，仅仓库协作者或组织成员可使用。`
+    );
+    return { should_build: false };
+  }
+
+  console.log(`✓ Build triggered by @${username}`);
+  return {
+    should_build: true,
+    pr_number: issue.number,
+    pr_sha: pr.head.sha,
+    pr_head_repo: pr.head.repo.full_name,
+    pr_head_ref: pr.head.ref,
+  };
+}
+
+// ============== 主函数 ==============
+
+async function main (): Promise<void> {
+  console.log('🔍 PR Build Check\n');
+
+  const token = getEnv('GITHUB_TOKEN', true);
+  const eventName = getEnv('GITHUB_EVENT_NAME', true);
+  const eventPath = getEnv('GITHUB_EVENT_PATH', true);
+  const { owner, repo } = getRepository();
+
+  console.log(`Event: ${eventName}`);
+  console.log(`Repository: ${owner}/${repo}\n`);
+
+  const payload = JSON.parse(readFileSync(eventPath, 'utf-8')) as GitHubPayload;
+  const github = new GitHubAPI(token);
+
+  let result: CheckResult;
+
+  switch (eventName) {
+    case 'pull_request_target':
+      result = handlePullRequestTarget(payload);
+      break;
+    case 'issue_comment':
+      result = await handleIssueComment(payload, github, owner, repo);
+      break;
+    default:
+      console.log(`✗ Unsupported event: ${eventName}`);
+      result = { should_build: false };
+  }
+
+  // 输出结果
+  console.log('\n=== Outputs ===');
+  setOutput('should_build', String(result.should_build));
+  setOutput('pr_number', String(result.pr_number ?? ''));
+  setOutput('pr_sha', result.pr_sha ?? '');
+  setOutput('pr_head_repo', result.pr_head_repo ?? '');
+  setOutput('pr_head_ref', result.pr_head_ref ?? '');
+}
+
+main().catch((error) => {
+  console.error('❌ Error:', error);
+  process.exit(1);
+});