Merge pull request #4 from Contrast-Security-OSS/PRODSEC-462

PRODDSEC-462 - Add support to policies hosted in private Github repositories

Author: DavidMContrast

CHANGELOG.md

@@ -0,0 +1,22 @@
+### Changelog
+
+All notable changes to this project will be documented in this file. Dates are displayed in UTC.
+
+Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
+
+#### [v1.0.1](https://github.com/Contrast-Security-OSS/actionbot/commit/fa95c969a50f6c331ec8ef19580fb9b8521851ca...https://github.com/Contrast-Security-OSS/actionbot/pull/4/commits/5f6c36987c9e39b866fd3b7aeed4203aeedb6265)
+
+- Bump eslint-plugin-github from 5.1.8 to 6.0.0 [`#1`](https://github.com/Contrast-Security-OSS/actionbot/pull/1)
+- Migration build [`#3`](https://github.com/Contrast-Security-OSS/actionbot/pull/3)
+- Migrate @actions/github from 4.0.0 to 6.0.0 [`#2`](https://github.com/Contrast-Security-OSS/actionbot/pull/2)
+- main.ts lint changes [`3182d32`](https://github.com/Contrast-Security-OSS/actionbot/commit/3182d3203c5c7dbc9edb7b96289aeddd38c62954)
+- Lint changes [`8235327`](https://github.com/Contrast-Security-OSS/actionbot/commit/823532706c187506bcb5f71d6bb00f8727390037)
+- Build [`4882543`](https://github.com/Contrast-Security-OSS/actionbot/commit/48825436495029524a627038ad1dcfb1999eb3c4)
+
+#### v1.0.0
+
+> 18 March 2025
+
+- Add files via upload [`fa95c96`](https://github.com/Contrast-Security-OSS/actionbot/commit/fa95c969a50f6c331ec8ef19580fb9b8521851ca)
+- adding main source [`8abd978`](https://github.com/Contrast-Security-OSS/actionbot/commit/8abd978c460b0e7b9c9cc611eb5540e5a18011f9)
+- Initial upload [`594800b`](https://github.com/Contrast-Security-OSS/actionbot/commit/594800ba2c056682322dc9e2176f95f16c131ba7)

action.yml

@@ -10,7 +10,7 @@ inputs:
     description: 'Set to either `allow` or `prohibit`. When allow is the policy, any actions not on the list will be in violation. When prohibit is the policy, any actions on the list will be in violation.'
   policy-url:
     required: true
-    description: 'The url to a publicly available json file containing a list of allowed or prohibited actions.'
+    description: 'The URL to a publicly accessible or private GitHub JSON file containing a list of allowed or prohibited actions. Private URLs require appropriate permissions or authentication.'
   fail-if-violations:
     required: false
     default: 'true'

lib/index.js

@@ -38905,6 +38905,10 @@ class Action {
     }
 }
 exports.Action = Action;
+function isGitHubUrl(url) {
+    const githubPattern = /^https?:\/\/(www\.)?github\.com\/.+/;
+    return githubPattern.test(url);
+}
 function isPolicyResponse(obj) {
     return typeof obj === "object" && obj !== null && Array.isArray(obj.actions);
 }
@@ -39004,19 +39008,39 @@ function run(context) {
                 console.log("No workflow files detected in change set.");
                 return;
             }
-            // Load up the remote policy list
-            yield (0, node_fetch_1.default)(policyUrl)
-                .then((response) => response.json())
-                .then((json) => {
-                // json is now correctly typed as PolicyResponse
-                json.actions.forEach((as) => {
-                    actionPolicyList.push(new Action(as));
+            if (!isGitHubUrl(policyUrl)) {
+                // Load up the remote policy list
+                yield (0, node_fetch_1.default)(policyUrl)
+                    .then((response) => response.json())
+                    .then((json) => {
+                    // json is now correctly typed as PolicyResponse
+                    json.actions.forEach((as) => {
+                        actionPolicyList.push(new Action(as));
+                    });
+                })
+                    .catch((error) => {
+                    console.error("Error fetching or parsing policy:", error);
+                    // Handle the error appropriately (e.g., throw an error, set a default policy)
                 });
-            })
-                .catch((error) => {
-                console.error("Error fetching or parsing policy:", error);
-                // Handle the error appropriately (e.g., throw an error, set a default policy)
-            });
+            }
+            else {
+                // Load up the github policy list
+                const response = yield client.rest.repos.getContent({
+                    owner: github.context.repo.owner,
+                    repo: github.context.repo.repo,
+                    path: policyUrl.replace("https://github.com/", "").split("/").slice(2).join("/"),
+                });
+                if (response.data && "content" in response.data) {
+                    const content = Buffer.from(response.data.content, "base64").toString("utf-8");
+                    const json = JSON.parse(content);
+                    json.actions.forEach((as) => {
+                        actionPolicyList.push(new Action(as));
+                    });
+                }
+                else {
+                    throw new Error("Failed to load GitHub policy list.");
+                }
+            }
             console.log("\nACTION POLICY LIST");
             console.log(line);
             actionPolicyList.forEach((item) => {

package.json

@@ -1,16 +1,18 @@
 {
   "name": "actionbot",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "private": true,
   "description": "Github Action Policy Checker as a Github Action",
   "main": "lib/index.js",
   "scripts": {
     "build": "ncc build src/main.ts -o lib",
+    "clean": "rm -rf lib",
     "format": "prettier --write **/*.ts",
     "format-check": "prettier --check **/*.ts",
     "lint": "eslint src/**/*.ts",
     "package": "ncc build --source-map",
     "test": "jest",
+    "version": "auto-changelog -p && git add CHANGELOG.md && git commit -m 'chore: update changelog' && git tag -a v$(node -p \"require('./package.json').version\") -m 'Version $(node -p \"require('./package.json').version\")'",
     "all": "npm run build && npm run format && npm run lint && npm run package && npm test"
   },
   "repository": {
@@ -30,18 +32,19 @@
   "dependencies": {
     "@actions/core": "^1.11.1",
     "@actions/github": "^6.0.0",
-    "@vercel/ncc": "^0.38.3",
     "@octokit/rest": "^21.1.1",
     "@types/js-yaml": "^4.0.9",
     "@types/node-fetch": "^2.6.12",
-    "octokit": "^4.1.2",
-    "node-fetch": "3.3.2"
+    "@vercel/ncc": "^0.38.3",
+    "node-fetch": "3.3.2",
+    "octokit": "^4.1.2"
   },
   "devDependencies": {
     "@types/jest": "^29.5.14",
     "@types/node": "^22.13.8",
     "@typescript-eslint/parser": "^8.26.0",
     "@vercel/ncc": "^0.38.1",
+    "auto-changelog": "^2.5.0",
     "eslint": "^9.21.0",
     "eslint-plugin-github": "^6.0.0",
     "eslint-plugin-jest": "^28.11.0",

src/main.ts

@@ -35,6 +35,11 @@ interface PolicyResponse {
   actions: string[];
 }
 
+function isGitHubUrl(url: string): boolean {
+  const githubPattern = /^https?:\/\/(www\.)?github\.com\/.+/;
+  return githubPattern.test(url);
+}
+
 function isPolicyResponse(obj: any): obj is PolicyResponse {
   return typeof obj === "object" && obj !== null && Array.isArray(obj.actions);
 }
@@ -151,19 +156,44 @@ async function run(context: typeof github.context): Promise<void> {
       return;
     }
 
-    // Load up the remote policy list
-    await fetch(policyUrl)
-      .then((response) => response.json() as Promise<PolicyResponse>)
-      .then((json) => {
-        // json is now correctly typed as PolicyResponse
+    if (!isGitHubUrl(policyUrl)) {
+      // Load up the remote policy list
+      await fetch(policyUrl)
+        .then((response) => response.json() as Promise<PolicyResponse>)
+        .then((json) => {
+          // json is now correctly typed as PolicyResponse
+          json.actions.forEach((as) => {
+            actionPolicyList.push(new Action(as));
+          });
+        })
+        .catch((error) => {
+          console.error("Error fetching or parsing policy:", error);
+          // Handle the error appropriately (e.g., throw an error, set a default policy)
+        });
+    } else {
+      // Load up the github policy list
+      const response = await client.rest.repos.getContent({
+        owner: github.context.repo.owner,
+        repo: github.context.repo.repo,
+        path: policyUrl
+          .replace("https://github.com/", "")
+          .split("/")
+          .slice(2)
+          .join("/"),
+      });
+
+      if (response.data && "content" in response.data) {
+        const content = Buffer.from(response.data.content, "base64").toString(
+          "utf-8",
+        );
+        const json = JSON.parse(content) as PolicyResponse;
         json.actions.forEach((as) => {
           actionPolicyList.push(new Action(as));
         });
-      })
-      .catch((error) => {
-        console.error("Error fetching or parsing policy:", error);
-        // Handle the error appropriately (e.g., throw an error, set a default policy)
-      });
+      } else {
+        throw new Error("Failed to load GitHub policy list.");
+      }
+    }
 
     console.log("\nACTION POLICY LIST");
     console.log(line);