test for allowed Actions (#15850)

* test for allowed actions * lint * empty commit
2020-10-05 10:54:16 -07:00 · 2020-10-05 10:54:16 -07:00 · 716d974faf
--- a/.github/allowed-actions.js
+++ b/.github/allowed-actions.js
@ -0,0 +1,32 @@
+// This is an AllowList of GitHub Actions that are approved for use in this project.
+// If a new or existing workflow file is updated to use an action or action version not listed here,
+// CI will fail and the action will need to be audited by the docs engineering team before it
+// can be added it this list.
+
+module.exports = [
+  'actions/cache@v1',
+  'actions/cache@v2',
+  'actions/checkout@v2',
+  'actions/github-script@0.9.0',
+  'actions/github-script@v2',
+  'actions/github-script@v3',
+  'actions/labeler@v2',
+  'actions/setup-node@v1',
+  'actions/setup-ruby@v1',
+  'actions/stale@v3',
+  'dawidd6/action-delete-branch@v3',
+  'docker://chinthakagodawita/autoupdate-action:v1',
+  'github/codeql-action/analyze@v1',
+  'github/codeql-action/init@v1',
+  'ianwalter/puppeteer@3.0.0',
+  'juliangruber/approve-pull-request-action@v1',
+  'juliangruber/find-pull-request-action@v1',
+  'juliangruber/read-file-action@v1',
+  'pascalgn/automerge-action@135f0bdb927d9807b5446f7ca9ecc2c51de03c4a',
+  'peter-evans/create-issue-from-file@v2',
+  'peter-evans/create-pull-request@v2',
+  'repo-sync/github-sync@v2',
+  'repo-sync/pull-request@v2',
+  'rtCamp/action-slack-notify@master',
+  'rtCamp/action-slack-notify@v2.1.0'
+]
--- a/tests/unit/actions-workflows.js
+++ b/tests/unit/actions-workflows.js
@ -0,0 +1,35 @@
+const fs = require('fs')
+const path = require('path')
+const yaml = require('js-yaml')
+const flat = require('flat')
+const { chain, difference, get } = require('lodash')
+const workflowsDir = path.join(__dirname, '../../.github/workflows')
+const workflows = fs.readdirSync(workflowsDir)
+  .filter(filename => filename.endsWith('.yml') || filename.endsWith('.yaml'))
+  .map(filename => {
+    const fullpath = path.join(workflowsDir, filename)
+    const data = yaml.load(fs.readFileSync(fullpath, 'utf8'), { fullpath })
+    return { filename, fullpath, data }
+  })
+const allowedActions = require('../../.github/allowed-actions')
+
+function actionsUsedInWorkflow (workflow) {
+  return Object.keys(flat(workflow))
+    .filter(key => key.endsWith('.uses'))
+    .map(key => get(workflow, key))
+}
+
+describe('GitHub Actions workflows', () => {
+  test('only use allowed actions from ./github/allow-actions.json', async () => {
+    const allUsedActions = chain(workflows)
+      .map(actionsUsedInWorkflow)
+      .flatten()
+      .uniq()
+      .sort()
+      .value()
+
+    expect(allowedActions.length).toBeGreaterThan(0)
+    expect(allUsedActions.length).toBeGreaterThan(0)
+    expect(difference(allowedActions, allUsedActions)).toEqual([])
+  })
+})