forked from github/docs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
test for allowed Actions (github#15850)
* test for allowed actions * lint * empty commit
- Loading branch information
Showing
2 changed files
with
67 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| // This is an AllowList of GitHub Actions that are approved for use in this project. | ||
| // If a new or existing workflow file is updated to use an action or action version not listed here, | ||
| // CI will fail and the action will need to be audited by the docs engineering team before it | ||
| // can be added it this list. | ||
|
|
||
| module.exports = [ | ||
| 'actions/cache@v1', | ||
| 'actions/cache@v2', | ||
| 'actions/checkout@v2', | ||
| 'actions/[email protected]', | ||
| 'actions/github-script@v2', | ||
| 'actions/github-script@v3', | ||
| 'actions/labeler@v2', | ||
| 'actions/setup-node@v1', | ||
| 'actions/setup-ruby@v1', | ||
| 'actions/stale@v3', | ||
| 'dawidd6/action-delete-branch@v3', | ||
| 'docker://chinthakagodawita/autoupdate-action:v1', | ||
| 'github/codeql-action/analyze@v1', | ||
| 'github/codeql-action/init@v1', | ||
| 'ianwalter/[email protected]', | ||
| 'juliangruber/approve-pull-request-action@v1', | ||
| 'juliangruber/find-pull-request-action@v1', | ||
| 'juliangruber/read-file-action@v1', | ||
| 'pascalgn/automerge-action@135f0bdb927d9807b5446f7ca9ecc2c51de03c4a', | ||
| 'peter-evans/create-issue-from-file@v2', | ||
| 'peter-evans/create-pull-request@v2', | ||
| 'repo-sync/github-sync@v2', | ||
| 'repo-sync/pull-request@v2', | ||
| 'rtCamp/action-slack-notify@master', | ||
| 'rtCamp/[email protected]' | ||
| ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| const fs = require('fs') | ||
| const path = require('path') | ||
| const yaml = require('js-yaml') | ||
| const flat = require('flat') | ||
| const { chain, difference, get } = require('lodash') | ||
| const workflowsDir = path.join(__dirname, '../../.github/workflows') | ||
| const workflows = fs.readdirSync(workflowsDir) | ||
| .filter(filename => filename.endsWith('.yml') || filename.endsWith('.yaml')) | ||
| .map(filename => { | ||
| const fullpath = path.join(workflowsDir, filename) | ||
| const data = yaml.load(fs.readFileSync(fullpath, 'utf8'), { fullpath }) | ||
| return { filename, fullpath, data } | ||
| }) | ||
| const allowedActions = require('../../.github/allowed-actions') | ||
|
|
||
| function actionsUsedInWorkflow (workflow) { | ||
| return Object.keys(flat(workflow)) | ||
| .filter(key => key.endsWith('.uses')) | ||
| .map(key => get(workflow, key)) | ||
| } | ||
|
|
||
| describe('GitHub Actions workflows', () => { | ||
| test('only use allowed actions from ./github/allow-actions.json', async () => { | ||
| const allUsedActions = chain(workflows) | ||
| .map(actionsUsedInWorkflow) | ||
| .flatten() | ||
| .uniq() | ||
| .sort() | ||
| .value() | ||
|
|
||
| expect(allowedActions.length).toBeGreaterThan(0) | ||
| expect(allUsedActions.length).toBeGreaterThan(0) | ||
| expect(difference(allowedActions, allUsedActions)).toEqual([]) | ||
| }) | ||
| }) |