You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
81 lines
2.3 KiB
Bash
81 lines
2.3 KiB
Bash
#!/usr/bin/env bash
|
|
# vim:ts=4:sts=4:sw=4:et
|
|
#
|
|
# Author: Hari Sekhon
|
|
# Date: 2022-01-26 19:00:10 +0000 (Wed, 26 Jan 2022)
|
|
#
|
|
# https://github.com/HariSekhon/DevOps-Bash-tools
|
|
#
|
|
# License: see accompanying Hari Sekhon LICENSE file
|
|
#
|
|
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish
|
|
#
|
|
# https://www.linkedin.com/in/HariSekhon
|
|
#
|
|
|
|
set -euo pipefail
|
|
[ -n "${DEBUG:-}" ] && set -x
|
|
srcdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
# shellcheck disable=SC1090
|
|
. "$srcdir/lib/git.sh"
|
|
|
|
ALLOW_FILE="$srcdir/.github/workflows/actions-allowed.txt"
|
|
|
|
# shellcheck disable=SC2034,SC2154
|
|
usage_description="
|
|
Allows select 3rd party GitHub Actions in the given repo using the GitHub API
|
|
|
|
If you have an Organization, I recommend you set this organization-wide instead, but for individual users this is handy to automate tightenting up your security
|
|
|
|
The list of actions is taken from the adjacent file '${ALLOW_FILE#$srcdir/}'
|
|
|
|
See Also:
|
|
|
|
github_actions_repos_lockdown.sh - applies this to all repos
|
|
"
|
|
|
|
# used by usage() in lib/utils.sh
|
|
# shellcheck disable=SC2034
|
|
usage_args="<user>/<repo>"
|
|
|
|
help_usage "$@"
|
|
|
|
#min_args 1 "$@"
|
|
|
|
repo="${1:-}"
|
|
|
|
if [ -z "$repo" ]; then
|
|
repo="$(git_repo)"
|
|
fi
|
|
|
|
repo="$(perl -pne 's|^https://github.com/||i' <<< "$repo")"
|
|
repo="${repo##/}"
|
|
|
|
actions_allowed="$(sed 's/#.*//;
|
|
s/^[[:space:]]*//;
|
|
s/[[:space:]]*$//;
|
|
/^[[:space:]]*$/d;' \
|
|
"$ALLOW_FILE")"
|
|
|
|
if [ -z "$actions_allowed" ]; then
|
|
die "No 3rd party actions found in the allow file '$ALLOW_FILE'"
|
|
fi
|
|
|
|
timestamp "Enabling the following 3rd party GitHub Actions on repo '$repo':"
|
|
echo
|
|
echo "$actions_allowed"
|
|
echo
|
|
|
|
# convert to array of strings for the API
|
|
#actions_allowed_json_array="$(printf "[%s]" "$(while read -r action; do echo "\"$action\", "; done <<< "$actions_allowed" | sed 's/, //')")"
|
|
|
|
actions_allowed_json_array="["
|
|
while read -r action; do
|
|
actions_allowed_json_array+="\"$action\", "
|
|
done <<< "$actions_allowed"
|
|
actions_allowed_json_array="${actions_allowed_json_array%, }"
|
|
actions_allowed_json_array+="]"
|
|
|
|
"$srcdir/github_api.sh" "/repos/$repo/actions/permissions/selected-actions" -X PUT -d "{\"patterns_allowed\": $actions_allowed_json_array}" # don't quote array, it contains the quotes already
|