This GitHub action allows you to provide a list of actions allowed or prohibited to be enforced within this repository. If a code push or pull request contains changes to a workflow yaml file containing a reference to an action that violates the action policy, a violations output value is set containing an array of the offending actions in JSON format.
- Author
- Author/Action
- Author/Action@Ref
Create a .github/workflows/enforce-action-policy.yml file:
name: "Enforce Action Policy"
on:
push:
pull_request:
types:
- opened
- edited
jobs:
enforce-action-policy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: rob-derosa/action-policy@v1
name: "Check for action policy violations"
id: action-policy
with:
policy: prohibit
policy-url: "https://mycompanywebsite.com/security/prohibit_policy.json"
fail-if-violations: false
github-token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/github-script@v2
name: "Respond to action policy violations"
with:
github-token: ${{secrets.GITHUB_TOKEN}}
violations: ${{steps.action-policy.outputs.violations}}
script: |
const script = require(`${process.env.GITHUB_WORKSPACE}/.github/workflows/action_violation.js`)
await script({github, context, core})Sample content of prohibit_policy.json
{
"actions" : [
"externaldev/some-neat-action@v2",
"badactor/[email protected]",
"staleauthor/out-of-date-action@*",
"untrustedauthor/*" ]
}The following inputs are required:
policy: Provide eitherallowto treat the policy as an allow list orprohibitto treat it as a prohibit listpolicy-url: The remote URL of the policy.json file containing a list of actions and versions allowed or prohibited (see sample payload)fail-if-violations: set to false if you want this action to refrain from setting the status of this action to fail - this allows downstream actions to rungithub-token: leave this be 🤘 - needed to access the added or modified files
Note that this action only checks to see if action violations are detected and writes that data to the violations output. In this sample,
we use a downstream action to respond to any violations that occur. By using the actions/github-script@v2 action, we can execute
Javascript directly in the yaml workflow. Even cleaner, we can consolidate that logic in it's own file and call it from the yaml workflow.
steps:
...
- uses: actions/github-script@v2
name: "Respond to action policy violations"
with:
github-token: ${{secrets.GITHUB_TOKEN}}
violations: ${{steps.action-policy.outputs.violations}}
script: |
const script = require(`${process.env.GITHUB_WORKSPACE}/.github/workflows/action_violation.js`)
await script({github, context, core})Here, we are executing logic contained in the .github/workflows/action_violation.js file. If a a violation occurs:
- triggered by code push
- an issue will be created, labeled with
Action Policy Violation, containing a link to the commit, and assigned to the user pushing the code
- an issue will be created, labeled with
- triggered by pull request being opened or updated
- the pull request will be labeled with
Action Policy Violationand a comment is added with violation details
- the pull request will be labeled with
Keeping the response to the violations in a separate step but in its own Javascript file allows for maximum flexibility on how you choose to respond while still providing access to context, core, octokit, io and keeping your yaml nice and tidy.
A commit was made that included an update to a workflow file.
Because a violation was detected, a comment is added to the pull request and labeled. If triggered by a code push, a new issue is created and assigned to the user who pushed the code.
- provide support for ignore path filters to allow ignoring specific workflow files
MIT