Approvers are not verified against required approvers for environment

[JakubBiel]

• I have searched through the current issues and did not find any that were related.

Describe the bug
From readme

• approvers is a comma-delimited list of all required approvers. An approver can either be a user or an org team. (Note: Required approvers must have the ability to be set as approvers in the repository. If you add an approver that doesn't have this permission then you would receive an HTTP/402 Validation Failed error when running this action)

This is a bit misleading. My understanding of it was that approvers are verified against required approvers for the environment the action runs in. This is however not the case and anyone with write permissions to the repository is able to approve when passed in approvers.

Expected behavior
A user that doesn't have permissions to approve a workflow should not be able to do so.

[snskArora]

No, the action does not read the environment approvers, furthermore, it would restrict the users who can approve and in my opinion, the developer should have the freedom to set the approvers.

If you want such functionality, I would say you can replicate the env approvers list in the approvers field of this action. If you want to secure your workflow such that no one (except a few), even from a non-default branch, should be able to change the approvers list, I would suggest setting a protection rule on .github/workflows dir.

[JakubBiel]

I think it's a valid concern because as it stands you're abstracting repository permissions settings to a workflow which is not great in terms of security in my opinion but fair enough. Still, it would be good to make it clear in the documentation what exact permissions the approvers need.

[snskArora]

That is a good point, maybe we add an input verifyAgainstEnvApprovers with the default value as false and if it is set to true, then we check. This should give us the best of both scenarios.

Will you be willing to take this up @JakubBiel ?

[JakubBiel]

I can give it a try!