fix(lambda): Prevent scale-up lambda from starting runner for user repo if org level runners is enabled

PerGon · PerGon · commit 7a37d5bceab8 · 2024-05-13T23:37:30.000+02:00
diff --git a/lambdas/functions/control-plane/src/lambda.test.ts b/lambdas/functions/control-plane/src/lambda.test.ts
@@ -15,6 +15,7 @@ const body: ActionRequestMessage = {
   installationId: 1,
   repositoryName: 'name',
   repositoryOwner: 'owner',
+  repoOwnerType: "Organization",
 };
 
 const sqsRecord: SQSRecord = {
diff --git a/lambdas/functions/control-plane/src/scale-runners/scale-up.test.ts b/lambdas/functions/control-plane/src/scale-runners/scale-up.test.ts
@@ -53,6 +53,16 @@ const TEST_DATA: scaleUpModule.ActionRequestMessage = {
   repositoryName: 'hello-world',
   repositoryOwner: 'Codertocat',
   installationId: 2,
+  repoOwnerType: "Organization",
+};
+
+const TEST_DATA_USER_REPO: scaleUpModule.ActionRequestMessage = {
+  id: 1,
+  eventType: 'workflow_job',
+  repositoryName: 'hello-world',
+  repositoryOwner: 'Octocat',
+  installationId: 2,
+  repoOwnerType: "User",
 };
 
 // installationId 0 means no installationId is set.
@@ -62,6 +72,7 @@ const TEST_DATA_WITH_ZERO_INSTALL_ID: scaleUpModule.ActionRequestMessage = {
   repositoryName: 'hello-world',
   repositoryOwner: 'Codertocat',
   installationId: 0,
+  repoOwnerType: "Organization",
 };
 
 const cleanEnv = process.env;
@@ -305,6 +316,11 @@ describe('scaleUp with GHES', () => {
       expect(mockOctokit.paginate).toHaveBeenCalledTimes(1);
     });
 
+    it('Throws error if it is a User repo and org level runners is enabled', () => {
+      process.env.ENABLE_ORGANIZATION_RUNNERS = 'true';
+      expect(() => scaleUpModule.scaleUp('aws:sqs', TEST_DATA_USER_REPO)).rejects.toBeInstanceOf(Error);
+    });
+
     it('create SSM parameter for runner group id if it doesnt exist', async () => {
       mockSSMClient.on(GetParameterCommand).rejects();
       await scaleUpModule.scaleUp('aws:sqs', TEST_DATA);
diff --git a/lambdas/functions/control-plane/src/scale-runners/scale-up.ts b/lambdas/functions/control-plane/src/scale-runners/scale-up.ts
@@ -27,6 +27,7 @@ export interface ActionRequestMessage {
   repositoryName: string;
   repositoryOwner: string;
   installationId: number;
+  repoOwnerType: string;
 }
 
 interface CreateGitHubRunnerConfig {
@@ -250,6 +251,16 @@ export async function scaleUp(eventSource: string, payload: ActionRequestMessage
         `Please ensure you have enabled workflow_job events.`,
     );
   }
+
+  if (enableOrgLevel && payload.repoOwnerType !== 'Organization') {
+    logger.warn(`Repository ${payload.repositoryOwner}/${payload.repositoryName} does not belong to a GitHub` +
+    `organization and organization runners are enabled. This is not supported. Not scaling up for this event.`);
+    throw Error(
+      `Repository ${payload.repositoryOwner}/${payload.repositoryName} does not belong to a GitHub` +
+    `organization and organization runners are enabled. This is not supported. Not scaling up for this event.`,
+    );
+  }
+
   const ephemeral = ephemeralEnabled && payload.eventType === 'workflow_job';
   const runnerType = enableOrgLevel ? 'Org' : 'Repo';
   const runnerOwner = enableOrgLevel ? payload.repositoryOwner : `${payload.repositoryOwner}/${payload.repositoryName}`;
diff --git a/lambdas/functions/webhook/src/sqs/index.test.ts b/lambdas/functions/webhook/src/sqs/index.test.ts
@@ -26,6 +26,7 @@ describe('Test sending message to SQS.', () => {
     repositoryOwner: 'owner',
     queueId: queueUrl,
     queueFifo: false,
+    repoOwnerType: 'Organization',
   };
 
   afterEach(() => {
diff --git a/lambdas/functions/webhook/src/sqs/index.ts b/lambdas/functions/webhook/src/sqs/index.ts
@@ -13,6 +13,7 @@ export interface ActionRequestMessage {
   installationId: number;
   queueId: string;
   queueFifo: boolean;
+  repoOwnerType: string;
 }
 
 export interface MatcherConfig {
diff --git a/lambdas/functions/webhook/src/webhook/index.test.ts b/lambdas/functions/webhook/src/webhook/index.test.ts
@@ -450,6 +450,7 @@ describe('handler', () => {
         installationId: 0,
         queueId: 'ubuntu-queue-id',
         queueFifo: false,
+        repoOwnerType: "Organization",
       });
     });
     it('Check webhook will accept jobs for latest labels if workflow labels are not specific', async () => {
@@ -492,6 +493,7 @@ describe('handler', () => {
         installationId: 0,
         queueId: 'ubuntu-queue-id',
         queueFifo: false,
+        repoOwnerType: "Organization",
       });
     });
   });
@@ -531,6 +533,7 @@ describe('handler', () => {
       installationId: 0,
       queueId: 'ubuntu-queue-id',
       queueFifo: false,
+      repoOwnerType: "Organization",
     });
   });
 
diff --git a/lambdas/functions/webhook/src/webhook/index.ts b/lambdas/functions/webhook/src/webhook/index.ts
@@ -53,6 +53,7 @@ async function handleWorkflowJob(
           installationId: installationId,
           queueId: queue.id,
           queueFifo: queue.fifo,
+          repoOwnerType: body.repository.owner.type,
         });
         logger.info(`Successfully queued job for ${body.repository.full_name} to the queue ${queue.id}`);
         return { statusCode: 201 };

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ export interface ActionRequestMessage {`
`13`	`13`	`installationId: number;`
`14`	`14`	`queueId: string;`
`15`	`15`	`queueFifo: boolean;`
	`16`	`+ repoOwnerType: string;`
`16`	`17`	`}`
`17`	`18`
`18`	`19`	`export interface MatcherConfig {`