From f01c1d8b95c6325ba113e9cd5046342f410e35b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=9CJamesHenry=E2=80=9D?= <james@henry.sc>
Date: Mon, 4 Mar 2024 15:03:03 +0400
Subject: [PATCH] chore(repo): check valid release authors for latest

---
 scripts/nx-release.ts | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/scripts/nx-release.ts b/scripts/nx-release.ts
index 8cf8fa7aa31f9..61675b63b55a3 100755
--- a/scripts/nx-release.ts
+++ b/scripts/nx-release.ts
@@ -11,6 +11,14 @@ import * as yargs from 'yargs';
 
 const LARGE_BUFFER = 1024 * 1000000;
 
+// DO NOT MODIFY, even for testing. This only gates releases to latest.
+const VALID_AUTHORS_FOR_LATEST = [
+  'jaysoo',
+  'JamesHenry',
+  'FrozenPandaz',
+  'vsavkin',
+];
+
 (async () => {
   const options = parseArgs();
   // Perform minimal logging by default
@@ -121,6 +129,17 @@ const LARGE_BUFFER = 1024 * 1000000;
   });
 
   const distTag = determineDistTag(options.version);
+  if (!distTag || distTag === 'latest') {
+    // We are only expecting latest releases to be performed within publish.yml on GitHub
+    const author = process.env.GITHUB_ACTOR ?? '';
+    if (!VALID_AUTHORS_FOR_LATEST.includes(author)) {
+      throw new Error(
+        `The GitHub user "${author}" is not allowed to publish to "latest". Please request one of the following users to carry out the release: ${VALID_AUTHORS_FOR_LATEST.join(
+          ', '
+        )}`
+      );
+    }
+  }
 
   if (options.dryRun) {
     console.warn('Not Publishing because --dryRun was passed');