Prevent unauthorized use of the self-hosted runners

Since we have to self-host the Windows/ARM64 build agents for now, let's
cap the cost by disallowing random Pull Requests to use up our
resources.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Author: dscho

GitForWindowsHelper/check-runs.js

@@ -59,7 +59,20 @@ const updateCheckRun = async (context, token, owner, repo, checkRunId, parameter
     )
 }
 
+const cancelWorkflowRun = async (context, token, owner, repo, workflowRunId) => {
+    const githubApiRequest = require('./github-api-request')
+
+    const answer = await githubApiRequest(
+        context,
+        token,
+        'POST',
+        `/repos/${owner}/${repo}/actions/runs/${workflowRunId}/cancel`
+    )
+    console.log(answer)
+}
+
 module.exports = {
     queueCheckRun,
-    updateCheckRun
+    updateCheckRun,
+    cancelWorkflowRun
 }

GitForWindowsHelper/index.js

@@ -31,6 +31,19 @@ module.exports = async function (context, req) {
         return withStatus(500, undefined, e.toString('utf-8'))
     }
 
+    try {
+        const selfHostedARM64Runners = require('./self-hosted-arm64-runners')
+        if (req.headers['x-github-event'] === 'workflow_job'
+            && req.body.repository.full_name === 'git-for-windows/git-for-windows-automation'
+            && ['queued', 'completed'].includes(req.body.action)
+            && req.body.workflow_job.labels.length === 2
+            && req.body.workflow_job.labels[0] === 'Windows'
+            && req.body.workflow_job.labels[1] === 'ARM64') return ok(await selfHostedARM64Runners(context, req))
+    } catch (e) {
+        context.log(e)
+        return withStatus(500, undefined, e.toString('utf-8'))
+    }
+
     context.log("Got headers")
     context.log(req.headers)
     context.log("Got body")

GitForWindowsHelper/self-hosted-arm64-runners.js

@@ -0,0 +1,39 @@
+module.exports = async (context, req) => {
+    const action = req.body.action
+    const owner = req.body.repository.owner.login
+    const repo = req.body.repository.name
+    const sender = req.body.sender.login
+
+    const getToken = (() => {
+        let token
+
+        const get = async () => {
+            const getInstallationIdForRepo = require('./get-installation-id-for-repo')
+            const installationId = await getInstallationIdForRepo(context, owner, repo)
+            const getInstallationAccessToken = require('./get-installation-access-token')
+            return await getInstallationAccessToken(context, installationId)
+        }
+
+        return async () => token || (token = await get())
+    })()
+
+    const isAllowed = async (login) => {
+        const getCollaboratorPermissions = require('./get-collaborator-permissions')
+        const token = await getToken()
+        const permission = await getCollaboratorPermissions(context, token, owner, repo, login)
+        return ['ADMIN', 'MAINTAIN', 'WRITE'].includes(permission.toString())
+    }
+
+    if (!isAllowed(sender)) {
+        if (action !== 'completed') {
+            // Cancel workflow run
+            const { cancelWorkflowRun } = require('./check-runs')
+            const token = await getToken()
+            const workflowRunId = req.body.workflow_job.run_id
+            await cancelWorkflowRun(context, token, owner, repo, workflowRunId)
+        }
+        throw new Error(`${sender} is not allowed to do that`)
+    }
+
+    return `Unhandled action: ${action}`
+}