From f3ec70358f6b1b35b9720ba3f6e6874a5845e38a Mon Sep 17 00:00:00 2001
From: Sai Kumar Battinoju <saibattinoju@rudderstack.com>
Date: Wed, 11 Dec 2024 19:53:53 +0530
Subject: [PATCH] chore: add check for actor

---
 .github/workflows/unit-tests-and-lint.yml |  1 +
 .github/workflows/update-cache-policy.yml | 24 ++++++++++++++++++++++-
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/unit-tests-and-lint.yml b/.github/workflows/unit-tests-and-lint.yml
index 86d5e47ce..deac21cae 100644
--- a/.github/workflows/unit-tests-and-lint.yml
+++ b/.github/workflows/unit-tests-and-lint.yml
@@ -76,3 +76,4 @@ jobs:
       AWS_PROD_ACCOUNT_ID: ${{ secrets.AWS_PROD_ACCOUNT_ID }}
       AWS_PROD_S3_BUCKET_NAME: ${{ secrets.AWS_PROD_S3_BUCKET_NAME }}
       AWS_PROD_S3_SYNC_ROLE: ${{ secrets.AWS_PROD_S3_SYNC_ROLE }}
+      PAT: ${{ secrets.PAT }}
diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml
index b28e5e84a..5a586d775 100644
--- a/.github/workflows/update-cache-policy.yml
+++ b/.github/workflows/update-cache-policy.yml
@@ -22,13 +22,35 @@ on:
         required: true
       AWS_PROD_S3_SYNC_ROLE:
         required: true
+      PAT:
+        required: true
 
 permissions:
   id-token: write # allows the JWT to be requested from GitHub's OIDC provider
   contents: read # This is required for actions/checkout
 
 jobs:
+  check-actor:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check if valid actor
+        env:
+          ORG_NAME: rudderlabs
+          TEAM_NAME: js-sdk
+        run: |
+          actor=${{ github.actor || github.triggering_actor }}
+          response=$(curl -s -H "Authorization: Bearer ${{ secrets.PAT }}" \
+            "https://api.github.com/orgs/$ORG_NAME/teams/$TEAM_NAME/members/$actor")
+          
+          if echo "$response" | grep -q '"state": "active"'; then
+            echo "$actor is a member of $TEAM_NAME"
+          else
+            echo "$actor is NOT a member of $TEAM_NAME"
+            exit 1
+          fi
+
   update-cache-policy:
+    needs: check-actor
     name: Update cache control policy for SDK artifacts
     runs-on: [self-hosted, Linux, X64]
 
@@ -55,7 +77,7 @@ jobs:
           parallel_jobs=$((num_cores * 2))
           echo "Detected $num_cores cores. Using $parallel_jobs parallel jobs."
 
-          prefixes=("adobe-analytics-js" "latest")
+          prefixes=("adobe-analytics-js")
           
           for prefix in "${prefixes[@]}"; do
             echo "Processing prefix: $prefix"