jupyterlab · brichet · Jan 14, 2026 · Jan 13, 2026 · Jan 13, 2026 · Jan 13, 2026
diff --git a/.github/actions/update-snapshots-check-permission/action.yml b/.github/actions/update-snapshots-check-permission/action.yml
@@ -0,0 +1,40 @@
+name: Check user permission before running the update snapshots workflow
+description: |
+  Check user permission before running the update snapshots workflow.
+  Reacts with either a thumb up or a thumb down to the comment depending on the user rights.
+
+inputs:
+  # Mandatory inputs
+  github_token:
+    description: "The GitHub token to use"
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Get commenter association
+      id: association
+      env:
+        GH_TOKEN: ${{ inputs.github_token }}
+      run: |
+        association=$(gh api \
+          repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }} \
+          --jq '.author_association')
+
+        echo "association=$association" >> $GITHUB_OUTPUT
+
+    - name: Fail if user is not authorized
+      if: |
+        !contains(fromJSON('["OWNER","COLLABORATOR","MEMBER"]'), steps.association.outputs.association)
+      run: |
+        gh api repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions --raw-field 'content=-1'
+        echo "User not authorized to update snapshots"
+        exit 1
+      env:
+        GITHUB_TOKEN: ${{ inputs.github_token }}
+
+    - name: React positively to the triggering comment
+      run: |
+        gh api repos/${{ github.repository }}/issues/comments/${{ github.event.comment.id }}/reactions --raw-field 'content=+1'
+      env:
+        GITHUB_TOKEN: ${{ inputs.github_token }}