Update nginx.org-make-aws.yml

Author: eepifanova

.github/workflows/nginx.org-make-aws.yml

@@ -40,30 +40,53 @@ defaults:
     shell: 'bash -Eeo pipefail -x {0}'
 
 jobs:
+  check-if-allowed:
+    if: ${{ ( github.repository_owner == 'nginx' || github.repository_owner == 'nginxinc' ) }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check if we're in the allowed environment
+        run: |
+          org_found=0
+          event_found=0
+          ref_found=0
+          user_found=0
+          ALLOWED_ORGS="nginx nginxinc"
+          ALLOWED_EVENTS="push workflow_dispatch"
+          ALLOWED_REFS="refs/heads/main"
+          ALLOWED_USERS="${{ secrets.ALLOWED_USERS }}"
+          for org in $ALLOWED_ORGS; do
+            if [ "$org" == "$GITHUB_REPOSITORY_OWNER" ]; then org_found=1; fi
+          done
+          for event in $ALLOWED_EVENTS; do
+            if [ "$event" == "$GITHUB_EVENT_NAME" ]; then event_found=1; fi
+          done
+          for ref in $ALLOWED_REFS; do
+            if [ ${{ inputs.deployment_env } == 'prod' ]; then
+              if [ "$ref" == "$GITHUB_REF" ]; then ref_found=1; fi
+            else
+              ref_found=1
+            fi
+          done
+          for user in ALLOWED_USERS; do
+            if [ ${{ inputs.deployment_env } == 'prod' ]; then
+              if [ "$user" == "$GITHUB_ACTOR" ]; then user_found=1; fi
+            else
+              user_found=1
+            fi
+          done
+          if [ $org_found$event_found$ref_found -ne 1111 ]; then
+            echo "Repository owner, event, ref or actor are not explicitely allowed to use this workflow: $GITHUB_REPOSITORY_OWNER, $GITHUB_EVENT_NAME, $GITHUB_REF, $GITHUB_ACTOR"
+            exit 1
+          fi
+          exit 0
+          
   build-staging:
     name: build-staging
     runs-on: ubuntu-latest
     if: ${{ inputs.deployment_env == 'staging' }}
 
-    steps:
-
-      - name: Decode OIDC sub
-        uses: actions/github-script@v7
-        id: oidc
-        with:
-          script: |
-            const idToken = await core.getIDToken();
-            const payload = idToken.split('.')[1];
-            const decoded = Buffer.from(payload, 'base64').toString('utf8');
-            core.info(decoded);
-
-      - name: Debug context
-        run: |
-          echo "Repository: $GITHUB_REPOSITORY"
-          echo "Ref:        $GITHUB_REF"
-          echo "Actor:      $GITHUB_ACTOR"
-          echo "${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}"
-        
+    steps:        
       - name: Install dependencies
         run: |
           sudo apt-get update
@@ -119,8 +142,15 @@ jobs:
       - name: Deployment summary
         run: |
           {
-            echo "### Deployment staging to https://${{ inputs.url_staging }}/${GITHUB_SHA}"
-            echo "### It should be accessible in 5 minutes"
+            echo "### Deployment Summary"
+            echo ""
+            echo "| Key             | Value |"
+            echo "|------------------|-------|"
+            echo "| deployment_env  | ${{ inputs.deployment_env }} |"
+            echo "| repository      | $GITHUB_REPOSITORY |"
+            echo "| actor           | $GITHUB_ACTOR |"
+            echo "| commit          | $GITHUB_SHA |"
+            echo "| Public URL      | https://${{ inputs.url_staging }}/${GITHUB_SHA} |"
           } >> $GITHUB_STEP_SUMMARY
           
   build-prod:
@@ -129,35 +159,6 @@ jobs:
     if: ${{ inputs.deployment_env == 'prod' }}
 
     steps:
-    
-      - name: Check prod access
-        if: ${{ inputs.deployment_env == 'prod' }}
-        run: |
-          if [ "$GITHUB_REF" != "refs/heads/main" ]; then
-            echo "Error: Production deployments are only allowed from the main branch."
-            exit 1
-          fi
-
-          if [ "$GITHUB_REPOSITORY_OWNER" != "nginx" ] && [ "$GITHUB_REPOSITORY_OWNER" != "nginxinc" ]; then
-            echo "Error: This workflow is only allowed in repositories owned by 'nginx' or 'nginxinc'."
-            exit 1
-          fi
-
-          allowed=false
-          USER_LIST="${{ secrets.ALLOWED_USERS }}"
-          for user in $USER_LIST; do
-            if [ "$GITHUB_ACTOR" == "$user" ]; then
-              echo "User $GITHUB_ACTOR is allowed to deploy to prod"
-              allowed=true
-              break
-            fi
-          done
-
-          if [ "$allowed" != true ]; then
-            echo "User $GITHUB_ACTOR is NOT allowed to deploy to prod"
-            exit 1
-          fi
-
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -194,5 +195,13 @@ jobs:
       - name: Deployment summary
         run: |
           {
-            echo "### prod is deployed by $GITHUB_ACTOR from $GITHUB_REPOSITORY/$GITHUB_SHA"
+            echo "### Deployment Summary"
+            echo ""
+            echo "| Key             | Value |"
+            echo "|------------------|-------|"
+            echo "| deployment_env  | ${{ inputs.deployment_env }} |"
+            echo "| repository      | $GITHUB_REPOSITORY |"
+            echo "| actor           | $GITHUB_ACTOR |"
+            echo "| commit          | $GITHUB_SHA |"
+            echo "| Public URL      | https://${{ inputs.url_staging }}/preview |"
           } >> $GITHUB_STEP_SUMMARY