github-actions-allow-list-as-code-action

Automate GitHub Actions allow list for GitHub Enterprise accounts

Usage

name: Deploy GitHub Actions allow list

on:
  push:
    branches: [main]
    paths: [github-actions-allow-list.yml]

jobs:
  deploy:
    runs-on: ubuntu-latest

    permissions: read-all

    steps:
      - name: Checkout
        uses: actions/[email protected]

      - name: Deploy GitHub Actions allow list
        uses: ActionsDesk/[email protected]
        with:
          token: ${{ secrets.ENTERPRISE_ADMIN_TOKEN }}
          enterprise: 'your-enterprise'
          # same as defined under `on.pull_requests.paths`
          allow_list_path: github-actions-allow-list.yml

Action Inputs

Name	Description	Default	Required
`token`	GitHub Personal Access Token (PAT) with `admin:enterprise` or `admin:org` scope		`true`
`organization`	GitHub organization slug		`false`
`enterprise`	GitHub Enterprise account slug		`false`
`allow_list_path`	Path to the GitHub Actions allow list YML within the repository	`github-actions-allow-list.yml`	`false`
`gh_api_url`	GitHub Enterprise Server - URL to the GitHub API endpoint. Example: `https://github.example.com/api/v3.`	`${{ github.api_url }}`	`false`

ℹ️ Notes for providing enterprise or organization:

Either provide enterprise to update the GitHub Enterprise Cloud's actions allow list, or organization to update a single organization's allow list.
Providing both will result in the action run failing with Please provide only one of: enterprise, organization.
If providing organization, but the allow list is handled via GitHub Enterprise Cloud's actions allow list, the action run will fail with Selected actions are already set at the enterprise level.

Allow List file

Example content for Allow List file containing actions: key and list with two allowed actions with specific versions, one wildcard entry for an entire org, and one wildcard entry for all versions of a specific action:

actions:
  - actionsdesk/[email protected]
  - hashicorp/[email protected]
  - aquasecurity/tfsec-sarif-action@*
  - azure/*

Local Development

To run locally, set the following environment variables, compile with ncc, and run with node:

export GITHUB_WORKSPACE=$(pwd)
export INPUT_ALLOW_LIST_PATH=allowlist.yml
export INPUT_ORGANIZATION=my-org # use INPUT_ENTERPRISE for enterprise
export INPUT_TOKEN=ghp_abcdefg
npm run build
node dist/index.js

License

MIT License

Name		Name	Last commit message	Last commit date
Latest commit History 128 Commits
.github		.github
.husky		.husky
dist		dist
utils		utils
.editorconfig		.editorconfig
.gitattributes		.gitattributes
.gitignore		.gitignore
.prettierignore		.prettierignore
action.js		action.js
action.yml		action.yml
eslint.config.js		eslint.config.js
license		license
package-lock.json		package-lock.json
package.json		package.json
prettier.config.js		prettier.config.js
readme.md		readme.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

github-actions-allow-list-as-code-action

Usage

Action Inputs

Allow List file

Local Development

License

About

Uh oh!

Releases 10

Uh oh!

Contributors 8

Uh oh!

Languages

License

ActionsDesk/github-actions-allow-list-as-code-action

Folders and files

Latest commit

History

Repository files navigation

github-actions-allow-list-as-code-action

Usage

Action Inputs

Allow List file

Local Development

License

About

Topics

Resources

License

Code of conduct

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Releases 10

Uh oh!

Contributors 8

Uh oh!

Languages