Giter VIP home page Giter VIP logo

verify-files-modify's Introduction

⚡ Verify Files Modify

Verify PR files modification.

Currently only pull_request and pull_request_target triggering is supported.

How to use ?

name: Verify Files modify

on:
  pull_request_target:
    types: [opened, edited, reopened, synchronize, ready_for_review]

jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - name: verify-version
        uses: actions-cool/verify-files-modify@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          forbid-files: 'action.yml, LICENSE'
          forbid-paths: '.github/, dist/'
          assignees: 'xxx1, xxx2'
          comment: |
            Please don't modify this.
          close: true
Name Desc Type Required
token GitHub token string
forbid-files Forbid files. Higher than allowed. Support multiple string
forbid-paths Forbid paths. Higher than allowed. Support multiple string
allowed-files Allowed files. Support multiple string
allowed-paths Allowed paths. Support multiple string
skip-verify-authority Skip verify by creator authority. Option: read write admin string
skip-verify-users Skip verify by creator userid. Support multiple string
skip-label Skip label string
comment Comment when verification success string
comment-mark Comment mark to find. string
assignees Assignees when verification success string
close Close PR when verification success boolean
set-failed When hit, whether set failed. Default true boolean

Note

  • When PR come from fork, it requires pull_request_target to comment or close. When use pull_request_target, must read
  • When use pull_request and PR come from fork. It will show CI badge status only
  • skip-verify-users: like 'x1, x2, x3'

⚡ Feedback

You are very welcome to try it out and put forward your comments. You can use the following methods:

  • Report bugs or consult with Issue
  • Submit Pull Request to improve the code of verify-files-modify

也欢迎加入 钉钉交流群

Changelog

CHANGELOG

LICENSE

MIT

verify-files-modify's People

Contributors

xrkffgg avatar zoo-js-bot avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

zoo-js-bot

verify-files-modify's Issues

GITHUB_TOKEN permissions used by this action

At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.

Below you can see the KB of your GITHUB Action.

name: 'Verify Files Modify'
github-token:
  action-input:
    input: token
  permissions:
    pull-requests: write
    pull-requests-reason: to update status of PRs #Checkout: https://github.com/actions-cool/verify-files-modify/blob/61404155b337d24034af65ea3527be289c4d9994/src/main.js#L154
    issues: read
    issues-reason: to query comment in issues #Checkout:https://github.com/actions-cool/verify-files-modify/blob/61404155b337d24034af65ea3527be289c4d9994/src/main.js#L108
    contents: read
    contents-reason: to query creator permission level #Checkout: https://github.com/actions-cool/verify-files-modify/blob/61404155b337d24034af65ea3527be289c4d9994/src/main.js#L59

# Fix #554

If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.

This issue is automatically created by our analysis bot, feel free to close after reading :)

References:

GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.

Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.

Feature to allow skip-verify by github's user ids or code owners?

Hi there, I am thinking of using this action to prevent unauthorized users from modifying the workflows files in a github repo.

As you may know, github's write authorization on a repo for a user cannot be set on a fine grained level; for example only to a specific paths or folders. So a contributor with write access can modify any files on that repo, but the repo maintainer may want to protect the workflows files and only allows a subset of people (from a list of allowed github user ids or code owners) to modify them.

So I am wondering if we can add a feature for the action to skip verify if the user opening the PR is on the list of allowed github user ids or one of workflows files' code owners. I am thinking this is very similar to skip-verify-authority option, except it decides on user_ids rather than permissions.

Thanks.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.