diff options
| author | Marc Cornellà <marc@mcornella.com> | 2025-09-19 15:58:21 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-09-19 15:58:21 +0200 |
| commit | c87eb79140ac359cf4f71604ddbf7209e1282939 (patch) | |
| tree | b1fb052fd7ea1c855e85bd756a0e5074f1c270b4 | |
| parent | c1e9748909af0f26dfe45c98b1f5527c790e31c4 (diff) | |
| download | zsh-c87eb79140ac359cf4f71604ddbf7209e1282939.tar.gz zsh-c87eb79140ac359cf4f71604ddbf7209e1282939.tar.bz2 zsh-c87eb79140ac359cf4f71604ddbf7209e1282939.zip | |
feat(cli): only allow `omz pr test` on PRs with `testers needed` label (#13238)
| -rw-r--r-- | lib/cli.zsh | 40 |
1 files changed, 39 insertions, 1 deletions
diff --git a/lib/cli.zsh b/lib/cli.zsh index 0b144e4e7..a002a5073 100644 --- a/lib/cli.zsh +++ b/lib/cli.zsh @@ -621,10 +621,48 @@ function _omz::pr::test { done (( $found )) || { - _omz::log error "could not found the ohmyzsh git remote. Aborting..." + _omz::log error "could not find the ohmyzsh git remote. Aborting..." return 1 } + # Check if Pull Request has the "testers needed" label + _omz::log info "checking if PR #$1 has the 'testers needed' label..." + local pr_json label label_id="MDU6TGFiZWw4NzY1NTkwNA==" + pr_json=$( + curl -fsSL \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "https://api.github.com/repos/ohmyzsh/ohmyzsh/pulls/$1" + ) + + if [[ $? -gt 0 || -z "$pr_json" ]]; then + _omz::log error "error when trying to fetch PR #$1 from GitHub." + return 1 + fi + + # Check if the label is present with jq or grep + if (( $+commands[jq] )); then + label="$(command jq ".labels.[] | select(.node_id == \"$label_id\")" <<< "$pr_json")" + else + label="$(command grep "\"$label_id\"" <<< "$pr_json" 2>/dev/null)" + fi + + # If a maintainer hasn't labeled the PR to test, explain the security risk + if [[ -z "$label" ]]; then + _omz::log warn "PR #$1 does not have the 'testers needed' label. This means that the PR" + _omz::log warn "has not been reviewed by a maintainer and may contain malicious code." + + # Ask for explicit confirmation: user needs to type "yes" to continue + _omz::log prompt "Do you want to continue testing it? [yes/N] " + builtin read -r + if [[ "${REPLY:l}" != yes ]]; then + _omz::log error "PR test canceled. Please ask a maintainer to review and label the PR." + return 1 + else + _omz::log warn "Continuing to check out and test PR #$1. Be careful!" + fi + fi + # Fetch pull request head _omz::log info "fetching PR #$1 to ohmyzsh/pull-$1..." command git fetch -f "$remote" refs/pull/$1/head:ohmyzsh/pull-$1 || { |