Add script to validate contributor permissions

images.CI/macos/azure-pipelines/image-generation.yml

@@ -9,22 +9,22 @@ jobs:
   - group: Mac-Cloud Image Generation Key Vault
 
   steps:
-  - pwsh: |
-      $allowedContributors = $env:CONTRIBUTOR_ALLOWLIST.Split(",").Trim()
-      $validСontributor = $allowedContributors | Where-Object { $_ -eq $env:BUILD_SOURCEVERSIONAUTHOR } `
-                                               | Select-Object -First 1
-
-      if (-not $validСontributor) {
-        Write-Host "Failed to start this build. $env:BUILD_SOURCEVERSIONAUTHOR is an unknown contributor"
-        Write-Host "Please add $env:BUILD_SOURCEVERSIONAUTHOR to the allowed list to run builds"
-        exit 1
-      }
-    displayName: Validate contributor permissions
-
   - checkout: self
     clean: true
     fetchDepth: 1
 
+  - task: PowerShell@2
+    displayName: 'Validate contributor permissions'
+    condition: startsWith(variables['Build.SourceBranch'], 'refs/pull/')
+    inputs:
+      targetType: 'filePath'
+      filePath: ./images.CI/macos/validate-contributor.ps1
+      pwsh: true
+      arguments: -RepositoryName "$(Build.Repository.Name)" `
+                 -AccessToken "$(GITHUB_FEED_TOKEN)" `
+                 -SourceBranch "$(Build.SourceBranch)" `
+                 -ContributorAllowList "$(CONTRIBUTOR_ALLOWLIST)"
+
   - task: PowerShell@2
     displayName: 'Download custom repository'
     condition: and(ne(variables['CUSTOM_REPOSITORY_URL'], ''), ne(variables['CUSTOM_REPOSITORY_BRANCH'], ''))

images.CI/macos/validate-contributor.ps1

@@ -0,0 +1,63 @@
+param(
+    [Parameter(Mandatory)] [string] $RepositoryName,
+    [Parameter(Mandatory)] [string] $AccessToken,
+    [Parameter(Mandatory)] [string] $SourceBranch,
+    [Parameter(Mandatory)] [string] $ContributorAllowList
+)
+
+function Build-AuthHeader {
+    param(
+        [Parameter(Mandatory)] [string] $AccessToken
+    )
+
+    $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes("'':${AccessToken}"))
+    return "Basic ${base64AuthInfo}"
+}
+
+function Get-PullRequest {
+    param(
+        [Parameter(Mandatory)] [string] $RepositoryName,
+        [Parameter(Mandatory)] [string] $AccessToken,
+        [Parameter(Mandatory)] [UInt32] $PullRequestNumber
+    )
+
+    $requestUrl = "https://api.github.com/repos/$RepositoryName/pulls/$PullRequestNumber"
+    $authHeader = Build-AuthHeader -AccessToken $AccessToken
+
+    $params = @{
+        Method = "GET"
+        ContentType = "application/json"
+        Uri = $requestUrl
+        Headers = @{ Authorization = $authHeader }
+    }
+
+    return Invoke-RestMethod @params
+}
+
+function Validate-ContributorPermissions {
+    param(
+        [Parameter(Mandatory)] [string] $ContributorAllowList,
+        [Parameter(Mandatory)] [string] $ContributorName
+    )
+
+    $allowedContributors = $ContributorAllowList.Split(",").Trim()
+    $validСontributor = $allowedContributors | Where-Object { $_ -eq $ContributorName } `
+                                             | Select-Object -First 1
+
+    if (-not $validСontributor) {
+       Write-Host "Failed to start this build. '$ContributorName' is an unknown contributor"
+       Write-Host "Please add '$ContributorName' to the allowed list to run builds"
+       exit 1
+    }
+}
+
+$pullRequestNumber = $SourceBranch.Split("/")[2]
+
+$pullRequestInfo = Get-PullRequest -RepositoryName $RepositoryName `
+                                   -AccessToken $AccessToken `
+                                   -PullRequestNumber $pullRequestNumber
+
+$contributorName = $pullRequestInfo.user.login
+
+Validate-ContributorPermissions -ContributorAllowList $ContributorAllowList `
+                                -ContributorName $contributorName