From 716d974faf0d6aef25723259933ba60d7167b8c3 Mon Sep 17 00:00:00 2001 From: Zeke Sikelianos Date: Mon, 5 Oct 2020 10:54:16 -0700 Subject: [PATCH] test for allowed Actions (#15850) * test for allowed actions * lint * empty commit --- .github/allowed-actions.js | 32 ++++++++++++++++++++++++++++++ tests/unit/actions-workflows.js | 35 +++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 .github/allowed-actions.js create mode 100644 tests/unit/actions-workflows.js diff --git a/.github/allowed-actions.js b/.github/allowed-actions.js new file mode 100644 index 0000000000..f9ce4ab370 --- /dev/null +++ b/.github/allowed-actions.js @@ -0,0 +1,32 @@ +// This is an AllowList of GitHub Actions that are approved for use in this project. +// If a new or existing workflow file is updated to use an action or action version not listed here, +// CI will fail and the action will need to be audited by the docs engineering team before it +// can be added it this list. + +module.exports = [ + 'actions/cache@v1', + 'actions/cache@v2', + 'actions/checkout@v2', + 'actions/github-script@0.9.0', + 'actions/github-script@v2', + 'actions/github-script@v3', + 'actions/labeler@v2', + 'actions/setup-node@v1', + 'actions/setup-ruby@v1', + 'actions/stale@v3', + 'dawidd6/action-delete-branch@v3', + 'docker://chinthakagodawita/autoupdate-action:v1', + 'github/codeql-action/analyze@v1', + 'github/codeql-action/init@v1', + 'ianwalter/puppeteer@3.0.0', + 'juliangruber/approve-pull-request-action@v1', + 'juliangruber/find-pull-request-action@v1', + 'juliangruber/read-file-action@v1', + 'pascalgn/automerge-action@135f0bdb927d9807b5446f7ca9ecc2c51de03c4a', + 'peter-evans/create-issue-from-file@v2', + 'peter-evans/create-pull-request@v2', + 'repo-sync/github-sync@v2', + 'repo-sync/pull-request@v2', + 'rtCamp/action-slack-notify@master', + 'rtCamp/action-slack-notify@v2.1.0' +] \ No newline at end of file diff --git a/tests/unit/actions-workflows.js b/tests/unit/actions-workflows.js new file mode 100644 index 0000000000..872e0adf98 --- /dev/null +++ b/tests/unit/actions-workflows.js @@ -0,0 +1,35 @@ +const fs = require('fs') +const path = require('path') +const yaml = require('js-yaml') +const flat = require('flat') +const { chain, difference, get } = require('lodash') +const workflowsDir = path.join(__dirname, '../../.github/workflows') +const workflows = fs.readdirSync(workflowsDir) + .filter(filename => filename.endsWith('.yml') || filename.endsWith('.yaml')) + .map(filename => { + const fullpath = path.join(workflowsDir, filename) + const data = yaml.load(fs.readFileSync(fullpath, 'utf8'), { fullpath }) + return { filename, fullpath, data } + }) +const allowedActions = require('../../.github/allowed-actions') + +function actionsUsedInWorkflow (workflow) { + return Object.keys(flat(workflow)) + .filter(key => key.endsWith('.uses')) + .map(key => get(workflow, key)) +} + +describe('GitHub Actions workflows', () => { + test('only use allowed actions from ./github/allow-actions.json', async () => { + const allUsedActions = chain(workflows) + .map(actionsUsedInWorkflow) + .flatten() + .uniq() + .sort() + .value() + + expect(allowedActions.length).toBeGreaterThan(0) + expect(allUsedActions.length).toBeGreaterThan(0) + expect(difference(allowedActions, allUsedActions)).toEqual([]) + }) +})