-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Expand file tree
/
Copy pathaction.yml
More file actions
138 lines (124 loc) · 5.81 KB
/
action.yml
File metadata and controls
138 lines (124 loc) · 5.81 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Authorization
description: |
Checks to see whether a user may perform a certain action. For example, to target the `live`
branch of a repository or to submit a PR editing repo configuration.
author: PowerShell Docs Team
inputs:
authorized_accounts:
description: |
Defines one or more authorized accounts to skip permission-checking for. This is best used
for bot accounts, which may not have specific permissions to a repository but are used by
the organization's automation. Must be a comma-separated string of account names.
If a user is in the authorized accounts list, the action skips checking permissions and
passes for that user.
required: false
default: ''
permissions:
description: |
The permissions a user requires to perform a given task. Must be a comma-separated string of
valid permissions. Valid permissions are (case-insensitive):
- `Admin`
- `Maintain`
- `Pull`
- `Push`
- `Triage`
If a user has _any_ of the specified permissions, they are authorized.
required: false
default: 'Maintain,Admin'
repository:
description: |
The full name of a repository; to target `https://github.com/MicrosoftDocs/PowerShell-Docs`,
the value should be `MicrosoftDocs/PowerShell-Docs`.
By default, the value is the repository the _workflow_ is defined in. Unless you are running
this action against another repository, you should not need to specify this value.
required: true
default: ${{ github.repository }}
target:
description: |
The branches or globbed file paths to verify authorization to target for changes. To specify
a branch, type a string like `branch:live`. This value determines the messaging for this
action but does not limit the authorization status check. To ensure your authorization
workflow only runs when a branch is targeted, use the **branches** setting for the
`pull_request` or `pull_request_target` trigger. To ensure your authorization workflow only
runs when a Pull Request modifies particular files, use the **paths** setting for the
`pull_request` or `pull_request_target` trigger. You can use those settings together. For
more information, see the documentation for the [branches][syntax-docs-branches] and
[paths][syntax-docs-paths] settings for workflows in GitHub's documentation.
To specify multiple branches, separate each branch
by a comma and/or newline, like `branch: live, production`. To specify a filepath, specify one
or more path separated by a comma and/or a newline, like `path: foo/**/*.md, bar/*.json`.
If you do not specify a prefix like `branch:` or `path:` or specify an invalid prefix, it will
be interpreted as branch. The default is `branch:live`.
When using multiple values, it can be easier to type them in a multiline string block in yaml,
like this:
```yaml
name: Authorized to Modify Repo Files?
uses: MicrosoftDocs/PowerShell-Docs/.github/actions/verification/authorization/v1@main
with:
target: |
path:
*.config.json
first/folder/path
another/path
final/path/entry/*.jsonc
```
[syntax-docs-branches]: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpull_requestpull_request_targetbranchesbranches-ignore
[syntax-docs-paths]: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore
required: true
default: branch:live
token:
description: |
The GITHUB_TOKEN to use to authenticate API calls to verify the user's permissions for the
repository. This **must** be passed to the action.
required: true
user:
description: |
The GitHub login ID to check permissions for.
required: true
default: ${{ github.event.pull_request.user.login }}
runs:
using: composite
steps:
- shell: pwsh
env:
INPUT_REPOSITORY: ${{ inputs.repository }}
INPUT_PERMISSIONS: ${{ inputs.permissions }}
INPUT_TARGET: ${{ inputs.target }}
INPUT_USER: ${{ inputs.user }}
INPUT_AUTHORIZED_ACCOUNTS: ${{ inputs.authorized_accounts }}
GITHUB_TOKEN: ${{ inputs.token }}
run: |
Write-Output "::group::Generic Setup"
$ActionPath = Resolve-Path '${{ github.action_path }}' | Select-Object -ExpandProperty Path
$ParameterHandlers = Join-Path -Path $ActionPath -ChildPath Parameters.psd1
| ForEach-Object -Process { Import-PowerShellDataFile -Path $_ }
| Select -ExpandProperty Parameters
| ForEach-Object -Process { [pscustomobject]$_ }
"Action Path: $ActionPath"
$ActionRootPath = Split-Path -Parent -Path $ActionPath
while ((Split-Path -Leaf -Path $ActionRootPath) -ne 'actions') {
$ActionRootPath = Split-Path -Parent -Path $ActionRootPath
}
"Action Root Path: $ActionRootPath"
$JoinPathParams = @{
Path = $ActionRootPath
ChildPath = '.pwsh'
}
$ModulePath = Join-Path @JoinPathParams -AdditionalChildPath @(
'module'
'gha.psd1'
)
"Module Path: $ModulePath"
Import-Module -Name $ModulePath -PassThru | Format-List
$ScriptPath = Join-Path @JoinPathParams -AdditionalChildPath @(
'scripts',
'Test-Authorization.ps1'
)
"Script Path: $ScriptPath"
Write-Output "::endgroup::"
Write-Output "::group::Parameter Validation"
$Parameters = Get-ActionScriptParameter -ParameterHandler $ParameterHandlers
Write-Output "::endgroup::"
Write-Output "::group::Check Authorization"
. $ScriptPath @Parameters
Write-Output "::endgroup::"