-
Notifications
You must be signed in to change notification settings - Fork 39
/
Copy pathapi.rego
48 lines (39 loc) · 1.17 KB
/
api.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
package werft
default allow = false
allow {
input.method == "/v1.WerftService/ListJobs"
}
allow {
input.method == "/v1.WerftService/Listen"
}
# Allow running GitHub jobs with sideloading only for team members and not on main
allow {
is_team_member
input.method == "/v1.WerftService/StartGitHubJob"
input.message.sideload != ""
not startswith(input.message.metadata.repository.ref, "refs/heads/main")
}
# Allow running GitHub jobs with custom jobs only for team members and not on main
allow {
is_team_member
input.method == "/v1.WerftService/StartGitHubJob"
input.message.job_yaml != ""
not startswith(input.message.metadata.repository.ref, "refs/heads/main")
}
# Allow running GitHub jobs on all branches without sideloading/custom jobs
allow {
is_team_member
input.method == "/v1.WerftService/StartGitHubJob"
not input.message.job_yaml
not input.message.job_path
not input.message.sideload
}
# Allow team members to run previously started jobs
allow {
is_team_member
input.method == "/v1.WerftService/StartFromPreviousJob"
}
is_team_member {
input.auth.known
endswith(input.auth.emails[_], "@gitpod.io")
}