Update NewDot deploy permissions.

.github/workflows/cherryPick.yml

@@ -15,14 +15,14 @@ jobs:
   validateActor:
     runs-on: ubuntu-latest
     outputs:
-      IS_DEPLOYER: ${{ steps.isUserDeployer.outputs.isTeamMember }}
+      IS_DEPLOYER: ${{ steps.isUserDeployer.outputs.isTeamMember || github.actor == 'OSBotify' }}
     steps:
       - id: isUserDeployer
         uses: tspascoal/get-user-teams-membership@baf2e6adf4c3b897bd65a7e3184305c165aec872
         with:
           GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
           username: ${{ github.actor }}
-          team: expensify-cash-deployers
+          team: mobile-deployers
 
   createNewVersion:
     needs: validateActor

.github/workflows/finishReleaseCycle.yml

@@ -6,23 +6,42 @@ on:
 
 # The updateProduction and createNewStagingDeployCash jobs are executed when a StagingDeployCash is closed.
 jobs:
-  checkDeployBlockers:
+  validate:
     runs-on: ubuntu-latest
     if: contains(github.event.issue.labels.*.name, 'StagingDeployCash')
 
     outputs:
-      hasDeployBlockers: ${{ steps.checkDeployBlockers.outputs.HAS_DEPLOY_BLOCKERS }}
+      isValid: ${{ steps.validateActor.outputs.isTeamMember && steps.checkDeployBlockers.outputs.HAS_DEPLOY_BLOCKERS == 'false' }}
 
     steps:
+      - name: Validate actor is deployer
+        id: validateActor
+        uses: tspascoal/get-user-teams-membership@baf2e6adf4c3b897bd65a7e3184305c165aec872
+        with:
+          GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
+          username: ${{ github.actor }}
+          team: mobile-deployers
+
+      - name: Reopen and comment on issue
+        if: ${{ !steps.validateActor.outputs.isTeamMember }}
+        uses: Expensify/App/.github/actions/reopenIssueWithComment@main
+        with:
+          GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          COMMENT: |
+            Sorry, only members of @Expensify/Mobile-Deployers can close deploy checklists.
+            Reopening!
+
       - name: Check for any deploy blockers
+        if: ${{ steps.validateActor.outputs.isTeamMember }}
         id: checkDeployBlockers
         uses: Expensify/App/.github/actions/checkDeployBlockers@main
         with:
           GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
           ISSUE_NUMBER: ${{ github.event.issue.number }}
 
       - name: Reopen and comment on issue
-        if: ${{ steps.checkDeployBlockers.outputs.HAS_DEPLOY_BLOCKERS == 'true' }}
+        if: ${{ steps.validateActor.outputs.isTeamMember && steps.checkDeployBlockers.outputs.HAS_DEPLOY_BLOCKERS == 'true' }}
         uses: Expensify/App/.github/actions/reopenIssueWithComment@main
         with:
           GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
@@ -34,10 +53,8 @@ jobs:
   # Update the production branch to trigger the production deploy.
   updateProduction:
     runs-on: ubuntu-latest
-
-    # Note: Anyone with Triage access to the New Expensify repo can trigger a production deploy
-    needs: checkDeployBlockers
-    if: ${{ needs.checkDeployBlockers.outputs.hasDeployBlockers == 'false' }}
+    needs: validate
+    if: ${{ needs.validate.outputs.isValid }}
     steps:
       - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f
         with:
@@ -54,8 +71,8 @@ jobs:
   # Deploy deferred PRs to staging and create a new StagingDeployCash for the next release cycle.
   createNewStagingDeployCash:
     runs-on: macos-11
-    needs: checkDeployBlockers
-    if: ${{ needs.checkDeployBlockers.outputs.hasDeployBlockers == 'false' }}
+    needs: validate
+    if: ${{ needs.validate.outputs.isValid }}
     steps:
       # Version: 2.3.4
       - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f

.github/workflows/platformDeploy.yml

@@ -13,9 +13,22 @@ env:
   DEVELOPER_DIR: /Applications/Xcode_12.5.app/Contents/Developer
 
 jobs:
+  validateActor:
+    runs-on: ubuntu-latest
+    outputs:
+      IS_DEPLOYER: ${{ steps.isUserDeployer.outputs.isTeamMember || github.actor == 'OSBotify' }}
+    steps:
+      - id: isUserDeployer
+        uses: tspascoal/get-user-teams-membership@baf2e6adf4c3b897bd65a7e3184305c165aec872
+        with:
+          GITHUB_TOKEN: ${{ secrets.OS_BOTIFY_TOKEN }}
+          username: ${{ github.actor }}
+          team: mobile-deployers
+
   android:
     name: Build and deploy Android
-    if: github.actor == 'OSBotify'
+    needs: validateActor
+    if: ${{ needs.validateActor.outputs.IS_DEPLOYER }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -78,7 +91,8 @@ jobs:
 
   desktop:
     name: Build and deploy Desktop
-    if: github.actor == 'OSBotify'
+    needs: validateActor
+    if: ${{ needs.validateActor.outputs.IS_DEPLOYER }}
     runs-on: macos-11
     steps:
       - uses: actions/checkout@v2
@@ -133,7 +147,8 @@ jobs:
 
   iOS:
     name: Build and deploy iOS
-    if: github.actor == 'OSBotify'
+    needs: validateActor
+    if: ${{ needs.validateActor.outputs.IS_DEPLOYER }}
     runs-on: macos-11
     steps:
       - uses: actions/checkout@v2
@@ -216,7 +231,8 @@ jobs:
 
   web:
     name: Build and deploy Web
-    if: github.actor == 'OSBotify'
+    needs: validateActor
+    if: ${{ needs.validateActor.outputs.IS_DEPLOYER }}
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -368,7 +384,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ github.token }}
           SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
-      
+
       - name: 'Announces a production deploy in the #expensify-open-source Slack room'
         uses: 8398a7/action-slack@v3
         if: ${{ env.SHOULD_DEPLOY_PRODUCTION == 'true' }}