Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GH Actions: restrict access to certain GH Actions #2016

Merged
merged 19 commits into from
Sep 8, 2023
Merged

GH Actions: restrict access to certain GH Actions #2016

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
b510bdd
add gate check for testing
yoomlam Sep 5, 2023
197ebf5
test non-membership
yoomlam Sep 5, 2023
5fc6077
fail run when not member
yoomlam Sep 5, 2023
a740e0a
gate check only for workflow_dispatch
yoomlam Sep 5, 2023
9836672
use separate gate-check job
yoomlam Sep 5, 2023
d91d735
remove output: continue
yoomlam Sep 5, 2023
969863a
restore repository conditional to original step
yoomlam Sep 5, 2023
3d37127
add gate-check to delete actions
yoomlam Sep 5, 2023
382989a
prevent certain actions on prod
yoomlam Sep 5, 2023
6ba277c
run gh_runner job only if publish_image job succeeded or is skipped
yoomlam Sep 5, 2023
ff2c00d
restore always
yoomlam Sep 5, 2023
67c3019
runs only if gate-check job succeeded
yoomlam Sep 5, 2023
7845998
Merge branch 'develop' into yoom/restrict-access
yoomlam Sep 6, 2023
614c89e
delint
yoomlam Sep 6, 2023
108d2ad
Merge branch 'develop' into yoom/restrict-access
yoomlam Sep 7, 2023
6bc0008
Add linter for build.gradle files
yoomlam Sep 7, 2023
6af78a9
Merge branch 'develop' into yoom/restrict-access
yoomlam Sep 7, 2023
a1b39d1
Merge branch 'develop' into yoom/restrict-access
yoomlam Sep 7, 2023
fbd4de1
Merge branch 'develop' into yoom/restrict-access
yoomlam Sep 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions .github/workflows/delete-old-releases.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,32 @@ on:
default: ^v

jobs:
gate-check:
# Adding an `if:` that evaluates to false for this gate-check job prevents other dependent jobs from running.
runs-on: ubuntu-latest
steps:
- id: checkUserMember
# Only check for manual runs, not scheduled runs
if: github.event_name == 'workflow_dispatch'
uses: tspascoal/get-user-teams-membership@v2
with:
username: ${{ github.actor }}
team: 'vro-restricted'
GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN_READ_TEAM }}
- name: "Check permission"
id: check-permission
# Only check for manual runs, not scheduled runs
if: github.event_name == 'workflow_dispatch'
run: |
echo "${{ github.actor }} isTeamMember: ${{ steps.checkUserMember.outputs.isTeamMember }}"
echo "Member of teams: ${{ steps.checkUserMember.outputs.teams }}"
if [ "${{ steps.checkUserMember.outputs.isTeamMember }}" = 'false' ]; then
echo "Only VRO-RESTRICTED team members can run this action!" | tee -a "$GITHUB_STEP_SUMMARY"
exit 3
fi

delete_releases:
needs: gate-check
# Deletions in public repo will be automatically propagated to internal repo when mirror.yml runs, at which point:
# - Git release tags (associated with GitHub pre-releases) will be deleted in the internal repo
# - Tag deletions will result in GitHub releases disappearing in internal repo: https://github.com/department-of-veterans-affairs/abd-vro-internal/releases
Expand Down
25 changes: 25 additions & 0 deletions .github/workflows/delete-published-images.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,32 @@ on:
# - '^release-1\.\d+\.\d+$'

jobs:
gate-check:
# Adding an `if:` that evaluates to false for this gate-check job prevents other dependent jobs from running.
runs-on: ubuntu-latest
steps:
- id: checkUserMember
# Only check for manual runs, not scheduled runs
if: github.event_name == 'workflow_dispatch'
uses: tspascoal/get-user-teams-membership@v2
with:
username: ${{ github.actor }}
team: 'vro-restricted'
GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN_READ_TEAM }}
Comment on lines +39 to +48
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be setup as a reusable block?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I considered that, but there's 2 different versions. Maybe someone can refactor that later.

- name: "Check permission"
id: check-permission
# Only check for manual runs, not scheduled runs
if: github.event_name == 'workflow_dispatch'
run: |
echo "${{ github.actor }} isTeamMember: ${{ steps.checkUserMember.outputs.isTeamMember }}"
echo "Member of teams: ${{ steps.checkUserMember.outputs.teams }}"
if [ ${{ steps.checkUserMember.outputs.isTeamMember }} = 'false' ]; then
echo "Only VRO-RESTRICTED team members can run this action!" | tee -a "$GITHUB_STEP_SUMMARY"
exit 3
fi

delete_images:
needs: gate-check
if: github.repository == 'department-of-veterans-affairs/abd-vro-internal'
continue-on-error: true
strategy:
Expand Down
25 changes: 25 additions & 0 deletions .github/workflows/delete-workflow-runs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,32 @@ on:
default: 20

jobs:
gate-check:
# Adding an `if:` that evaluates to false for this gate-check job prevents other dependent jobs from running.
runs-on: ubuntu-latest
steps:
- id: checkUserMember
# Only check for manual runs, not scheduled runs
if: github.event_name == 'workflow_dispatch'
uses: tspascoal/get-user-teams-membership@v2
with:
username: ${{ github.actor }}
team: 'vro-restricted'
GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN_READ_TEAM }}
- name: "Check permission"
id: check-permission
# Only check for manual runs, not scheduled runs
if: github.event_name == 'workflow_dispatch'
run: |
echo "${{ github.actor }} isTeamMember: ${{ steps.checkUserMember.outputs.isTeamMember }}"
echo "Member of teams: ${{ steps.checkUserMember.outputs.teams }}"
if [ ${{ steps.checkUserMember.outputs.isTeamMember }} = 'false' ]; then
echo "Only VRO-RESTRICTED team members can run this action!" | tee -a "$GITHUB_STEP_SUMMARY"
exit 3
fi

delete_runs:
needs: gate-check
runs-on: ubuntu-latest
steps:
- name: "Delete old workflow runs"
Expand Down
35 changes: 32 additions & 3 deletions .github/workflows/deploy-secrets.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,9 +29,35 @@ on:
type: boolean

jobs:
gate-check:
# Adding an `if:` that evaluates to false for this gate-check job prevents other dependent jobs from running.
if: github.repository == 'department-of-veterans-affairs/abd-vro-internal'
runs-on: ubuntu-latest
steps:
- id: checkUserMember
# Only check for manual runs against prod
if: github.event_name == 'workflow_dispatch' && inputs.target_env == 'prod'
uses: tspascoal/get-user-teams-membership@v2
with:
username: ${{ github.actor }}
team: 'vro-restricted'
GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN_READ_TEAM }}
- name: "Check permission"
id: check-permission
# Only check for manual runs against prod
if: github.event_name == 'workflow_dispatch' && inputs.target_env == 'prod'
run: |
echo "${{ github.actor }} isTeamMember: ${{ steps.checkUserMember.outputs.isTeamMember }}"
echo "Member of teams: ${{ steps.checkUserMember.outputs.teams }}"
if [ ${{ steps.checkUserMember.outputs.isTeamMember }} = 'false' ]; then
echo "Only VRO-RESTRICTED team members can run this action for ${{inputs.target_env}}!" | tee -a "$GITHUB_STEP_SUMMARY"
exit 3
fi

publish_image:
name: "Publish GitHub runner image"
if: ${{ inputs.publish_new_image || false }} && (github.repository == 'department-of-veterans-affairs/abd-vro-internal')
needs: gate-check
if: ${{ inputs.publish_new_image || false }}
runs-on: ubuntu-latest
steps:
- name: "Login to GitHub Container Registry"
Expand All @@ -58,8 +84,11 @@ jobs:

gh_runner:
name: "Start GitHub runner to set ${{ inputs.target_env }} secrets"
needs: publish_image
if: always() && (github.repository == 'department-of-veterans-affairs/abd-vro-internal')
# Run after publish_image job (if the job runs)
needs: [gate-check, publish_image]
# Always run even if publish_image job is skipped.
# Runs only if gate-check job succeeded and publish_image job succeeded or is skipped
if: always() && needs.gate-check.result == 'success' && (needs.publish_image.result == 'success' || needs.publish_image.result == 'skipped')
runs-on: ubuntu-latest
steps:
- name: "Set up kube config for dev env"
Expand Down
28 changes: 26 additions & 2 deletions .github/workflows/update-deployment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,10 +84,34 @@ env:
SHUTDOWN_FIRST: ${{ inputs.shutdown }}

jobs:
update-deployment:
# Required secrets are set in the specific repo
gate-check:
# Adding an `if:` that evaluates to false for this gate-check job prevents other dependent jobs from running.
if: github.repository == 'department-of-veterans-affairs/abd-vro-internal'
runs-on: ubuntu-latest
steps:
- id: checkUserMember
# Only check for manual runs against prod
if: github.event_name == 'workflow_dispatch' && inputs.target_env == 'prod'
uses: tspascoal/get-user-teams-membership@v2
with:
username: ${{ github.actor }}
team: 'vro-restricted'
GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN_READ_TEAM }}
- name: "Check permission"
id: check-permission
# Only check for manual runs against prod
if: github.event_name == 'workflow_dispatch' && inputs.target_env == 'prod'
run: |
echo "${{ github.actor }} isTeamMember: ${{ steps.checkUserMember.outputs.isTeamMember }}"
echo "Member of teams: ${{ steps.checkUserMember.outputs.teams }}"
if [ ${{ steps.checkUserMember.outputs.isTeamMember }} = 'false' ]; then
echo "Only VRO-RESTRICTED team members can run this action for ${{inputs.target_env}}!" | tee -a "$GITHUB_STEP_SUMMARY"
exit 3
fi

update-deployment:
needs: gate-check
runs-on: ubuntu-latest
steps:
- name: "Slack: workflow triggered"
id: notify-slack
Expand Down