From 90e52f3dc1957cc59c2bd68878a6aa750b30f7ff Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 17 Jun 2025 09:16:30 -0400
Subject: [PATCH 1/3] Use deployment environment gating for integration tests.

---
 .github/workflows/integration-test.yml | 50 +++++++++++++++++---------
 1 file changed, 34 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml
index 294a2f3ea..ec56ec7cb 100644
--- a/.github/workflows/integration-test.yml
+++ b/.github/workflows/integration-test.yml
@@ -5,28 +5,46 @@ on:
     types: [opened, synchronize, labeled, unlabled, reopened]
   
 jobs:
+  authorization-check:
+    permissions: read-all
+    runs-on: ubuntu-latest
+    outputs: 
+      approval-env: ${{ steps.collab-check.outputs.result }}
+    steps:
+      - name: Collaborator Check
+        uses: actions/github-script@v7
+        id: collab-check
+        with:
+          result-encoding: string
+          script: | 
+            try {
+              const permissionResponse = await github.rest.repos.getCollaboratorPermissionLevel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                username: context.payload.pull_request.user.login,
+              });
+              const permission = permissionResponse.data.permission;
+              const hasWriteAccess = ['write', 'admin'].includes(permission);
+              if (!hasWriteAccess) {
+                console.log(`User ${context.payload.pull_request.user.login} does not have write access to the repository (permission: ${permission})`);
+                return "manual-approval"
+              } else {
+                console.log(`Verifed ${context.payload.pull_request.user.login} has write access. Auto Approving PR Checks.`)
+                return "auto-approve"
+              }             
+            } catch (error) {
+              console.log(`${context.payload.pull_request.user.login} does not have write access. Requiring Manual Approval to run PR Checks.`)
+              return "manual-approval"
+            }
   check-access-and-checkout:
     runs-on: ubuntu-latest
+    needs: authorization-check
+    environment: ${{ needs.authorization-check.outputs.approval-env }}
     permissions:
       id-token: write
       pull-requests: read
       contents: read
     steps:
-      - name: Check PR labels and author
-        id: check
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const pr = context.payload.pull_request;
-            
-            const labels = pr.labels.map(label => label.name);
-            const hasLabel = labels.includes('approved-for-integ-test')
-            if (hasLabel) {
-              core.info('PR contains label approved-for-integ-test')
-              return
-            }
-            
-            core.setFailed('Pull Request must either have label approved-for-integ-test')
       - name: Configure Credentials 
         uses: aws-actions/configure-aws-credentials@v4
         with: 
@@ -36,7 +54,7 @@ jobs:
       - name: Checkout base branch
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.ref }} # Pull the commit from the forked repo
+          ref: ${{ github.event.pull_request.head.sha }} # Pull the commit from the forked repo
           persist-credentials: false  # Don't persist credentials for subsequent actions
       - name: Set up Python
         uses: actions/setup-python@v5

From 91a955482e1b4b9bbad26769c2b1df626ec50390 Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 17 Jun 2025 09:21:22 -0400
Subject: [PATCH 2/3] Only run on PRs that target main.

---
 .github/workflows/integration-test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml
index ec56ec7cb..f044e6b75 100644
--- a/.github/workflows/integration-test.yml
+++ b/.github/workflows/integration-test.yml
@@ -2,7 +2,7 @@ name: Secure Integration test
 
 on:
   pull_request_target:
-    types: [opened, synchronize, labeled, unlabled, reopened]
+    branches: main
   
 jobs:
   authorization-check:

From 930a548cb184de99216d34f85d2bc825acae758e Mon Sep 17 00:00:00 2001
From: Adnan Khan <AdnaneKhan@users.noreply.github.com>
Date: Tue, 17 Jun 2025 10:04:00 -0400
Subject: [PATCH 3/3] Use correct head name.

---
 .github/workflows/integration-test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml
index f044e6b75..39b53c499 100644
--- a/.github/workflows/integration-test.yml
+++ b/.github/workflows/integration-test.yml
@@ -51,7 +51,7 @@ jobs:
          role-to-assume: ${{ secrets.STRANDS_INTEG_TEST_ROLE }}
          aws-region: us-east-1
          mask-aws-account-id: true
-      - name: Checkout base branch
+      - name: Checkout head commit
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }} # Pull the commit from the forked repo