jupyterlab · brichet · Jan 14, 2026 · Jan 13, 2026 · Jan 13, 2026 · Jan 13, 2026
diff --git a/.github/actions/update-snapshots-checkout/action.yml b/.github/actions/update-snapshots-checkout/action.yml
@@ -0,0 +1,90 @@
+name: Check user permission and checkout the repository before running the update snapshots workflow
+description: |
+  Check user permission and checkout the repository before running the update snapshots workflow.
+  Reacts with either a thumb up or a thumb down to the comment depending on the user rights.
+
+inputs:
+  # Mandatory inputs
+  github_token:
+    description: "The GitHub token to use"
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Get commenter association
+      id: association
+      env:
+        GH_TOKEN: ${{ inputs.github_token }}
+      shell: bash -l {0}
+      run: |
+        association=$(gh api \
+          repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }} \
+          --jq '.author_association')
+
+        echo "association=$association" >> $GITHUB_OUTPUT
+
+    - name: Fail if user is not authorized
+      if: |
+        !contains(fromJSON('["OWNER","COLLABORATOR","MEMBER"]'), steps.association.outputs.association)
+      shell: bash -l {0}
+      run: |
+        gh api repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions --raw-field 'content=-1'
+        echo "User not authorized to update snapshots"
+        exit 1
+      env:
+        GH_TOKEN: ${{ inputs.github_token }}
+
+    - name: React positively to the triggering comment
+      shell: bash -l {0}
+      run: |
+        gh api repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions --raw-field 'content=+1'
+      env:
+        GH_TOKEN: ${{ inputs.github_token }}
+
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        token: ${{ inputs.github_token }}
+
+    - name: Configure git to use https
+      shell: bash -l {0}
+      run: git config --global hub.protocol https
+
+    - name: Get PR Info
+      id: pr
+      shell: bash -l {0}
+      env:
+        PR_NUMBER: ${{ github.event.issue.number }}
+        GH_TOKEN: ${{ inputs.github_token }}
+        GH_REPO: ${{ github.repository }}
+        COMMENT_AT: ${{ github.event.comment.created_at }}
+      run: |
+        pr="$(gh api /repos/${GH_REPO}/pulls/${PR_NUMBER})"
+        head_sha="$(echo "$pr" | jq -r .head.sha)"
+        pushed_at="$(echo "$pr" | jq -r .pushed_at)"
+
+        if [[ $(date -d "$pushed_at" +%s) -gt $(date -d "$COMMENT_AT" +%s) ]]; then
+            echo "Updating is not allowed because the PR was pushed to (at $pushed_at) after the triggering comment was issued (at $COMMENT_AT)"
+            exit 1
+        fi
+
+        echo "head_sha=$head_sha" >> $GITHUB_OUTPUT
+
+    - name: Checkout the branch from the PR that triggered the job
+      shell: bash -l {0}
+      env:
+        GITHUB_TOKEN: ${{ inputs.github_token }}
+      run: gh pr checkout ${{ github.event.issue.number }}
+
+    - name: Validate the fetched branch HEAD revision
+      shell: bash -l {0}
+      env:
+        EXPECTED_SHA: ${{ steps.pr.outputs.head_sha }}
+      run: |
+        actual_sha="$(git rev-parse HEAD)"
+
+        if [[ "$actual_sha" != "$EXPECTED_SHA" ]]; then
+            echo "The HEAD of the checked out branch ($actual_sha) differs from the HEAD commit available at the time when trigger comment was submitted ($EXPECTED_SHA)"
+            exit 1
+        fi