From 88bc3dab507b6401d57ddd6242022028bc93671a Mon Sep 17 00:00:00 2001 From: Luke Cartey Date: Wed, 11 Sep 2024 11:10:08 +0100 Subject: [PATCH] Remove ACLs for dispatch targets Remove ACLs and replace with a check against write access to the repository. --- .github/actions/check-permissions/action.yml | 43 +++++++++++++++++++ .github/workflows/dispatch-matrix-check.yml | 13 +++--- .../dispatch-matrix-test-on-comment.yml | 25 +++-------- .../dispatch-release-performance-check.yml | 25 +++-------- 4 files changed, 64 insertions(+), 42 deletions(-) create mode 100644 .github/actions/check-permissions/action.yml diff --git a/.github/actions/check-permissions/action.yml b/.github/actions/check-permissions/action.yml new file mode 100644 index 0000000000..9a3ea6d7f7 --- /dev/null +++ b/.github/actions/check-permissions/action.yml @@ -0,0 +1,43 @@ +name: Check current actor permissions +description: | + Checks whether the current actor has the specified permssions +inputs: + minimum-permission: + description: | + The minimum required permission. One of: read, write, admin + required: true +outputs: + has-permission: + description: "Whether the actor had the minimum required permission" + value: ${{ steps.check-permission.outputs.has-permission }} + +runs: + using: composite + steps: + - uses: actions/github-script@v7 + id: check-permission + with: + script: | + // Valid permissions are none, read, write, admin (legacy base permissions) + const permissionsRanking = ["none", "read", "write", "admin"]; + + const minimumPermission = core.getInput('minimum-permission'); + if (!permissionsRanking.includes(minimumPermission)) { + core.setFailed(`Invalid minimum permission: ${minimumPermission}`); + return; + } + + const { data : { permission : actorPermission } } = await github.rest.repos.getCollaboratorPermissionLevel({ + owner: context.repo.owner, + repo: context.repo.repo, + username: tools.context.actor + }); + + // Confirm whether the actor permission is at least the selected permission + const hasPermission = permissionsRanking.indexOf(minimumPermission) <= permissionsRanking.indexOf(actorPermission) ? "1" : ""; + core.setOutput('has-permission', hasPermission); + if (!hasPermission) { + core.info(`Current actor (${tools.context.actor}) does not have the minimum required permission '${minimumPermission}' (has '${actorPermission}')`); + } else { + core.info(`Current actor (${tools.context.actor}) has the minimum required permission '${minimumPermission}' (has '${actorPermission}')`); + } \ No newline at end of file diff --git a/.github/workflows/dispatch-matrix-check.yml b/.github/workflows/dispatch-matrix-check.yml index a570777877..458a7a6a58 100644 --- a/.github/workflows/dispatch-matrix-check.yml +++ b/.github/workflows/dispatch-matrix-check.yml @@ -11,13 +11,14 @@ jobs: dispatch-matrix-check: runs-on: ubuntu-22.04 steps: - - name: Test Variables - shell: pwsh - run: | - Write-Host "Running as: ${{github.actor}}" + - name: Check permission + id: check-write-permission + uses: ./.github/actions/check-permissions + with: + minimum-permission: "write" - name: Dispatch Matrix Testing Job - if: ${{ contains(fromJSON('["mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill"]'), github.actor) }} + if: steps.check-write-permission.outputs.has-permission uses: peter-evans/repository-dispatch@v2 with: token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }} @@ -26,7 +27,7 @@ jobs: client-payload: '{"pr": "${{ github.event.number }}"}' - uses: actions/github-script@v6 - if: ${{ contains(fromJSON('["mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill"]'), github.actor) }} + if: steps.check-write-permission.outputs.has-permission with: script: | github.rest.issues.createComment({ diff --git a/.github/workflows/dispatch-matrix-test-on-comment.yml b/.github/workflows/dispatch-matrix-test-on-comment.yml index ba223380c7..4dc69a035a 100644 --- a/.github/workflows/dispatch-matrix-test-on-comment.yml +++ b/.github/workflows/dispatch-matrix-test-on-comment.yml @@ -3,30 +3,19 @@ name: 🤖 Run Matrix Check (On Comment) on: issue_comment: types: [created] - branches: - - main - - "rc/**" - - next jobs: dispatch-matrix-check: runs-on: ubuntu-22.04 steps: - - name: Test Variables - shell: pwsh - run: | - Write-Host "Running as: ${{github.actor}}" - - $actor = "${{github.actor}}" - - $acl = @("mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill") - - if(-not ($actor -in $acl)){ - throw "Refusing to run workflow for user not in acl." - } + - name: Check permission + id: check-write-permission + uses: ./.github/actions/check-permissions + with: + minimum-permission: "write" - name: Dispatch Matrix Testing Job - if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }} + if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }} uses: peter-evans/repository-dispatch@v2 with: token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }} @@ -35,7 +24,7 @@ jobs: client-payload: '{"pr": "${{ github.event.issue.number }}"}' - uses: actions/github-script@v6 - if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') }} + if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-matrix') && steps.check-write-permission.outputs.has-permission }} with: script: | github.rest.issues.createComment({ diff --git a/.github/workflows/dispatch-release-performance-check.yml b/.github/workflows/dispatch-release-performance-check.yml index 827c0c4463..8933495382 100644 --- a/.github/workflows/dispatch-release-performance-check.yml +++ b/.github/workflows/dispatch-release-performance-check.yml @@ -3,30 +3,19 @@ name: 🏁 Run Release Performance Check on: issue_comment: types: [created] - branches: - - main - - "rc/**" - - next jobs: dispatch-matrix-check: runs-on: ubuntu-22.04 steps: - - name: Test Variables - shell: pwsh - run: | - Write-Host "Running as: ${{github.actor}}" - - $actor = "${{github.actor}}" - - $acl = @("mbaluda", "lcartey", "rvermeulen", "ravikprasad", "jeongsoolee09", "hohn", "knewbury01", "nicolaswill") - - if(-not ($actor -in $acl)){ - throw "Refusing to run workflow for user not in acl." - } + - name: Check permission + id: check-write-permission + uses: ./.github/actions/check-permissions + with: + minimum-permission: "write" - name: Dispatch Performance Testing Job - if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }} + if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }} uses: peter-evans/repository-dispatch@v2 with: token: ${{ secrets.RELEASE_ENGINEERING_TOKEN }} @@ -35,7 +24,7 @@ jobs: client-payload: '{"pr": "${{ github.event.issue.number }}"}' - uses: actions/github-script@v6 - if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') }} + if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/test-performance') && steps.check-write-permission.outputs.has-permission }} with: script: | github.rest.issues.createComment({