Entitlements plugin for a robust audit log
Перейти к файлу
Grant Birkinbine 318be6f434
Merge pull request #72 from github/dependabot/github_actions/github-actions-fb7014ef76
Bump ruby/setup-ruby from 1.188.0 to 1.196.0 in the github-actions group across 1 directory
2024-10-09 14:16:25 -07:00
.github Bump ruby/setup-ruby in the github-actions group across 1 directory 2024-10-08 21:10:03 +00:00
bin entitlements-gitrepo-auditor-plugin 2022-06-07 12:12:28 -04:00
lib bump version to v1.0.0 2024-06-10 13:32:32 -07:00
script swap to docker compose v2 2024-04-03 13:05:51 -06:00
spec upgrading to ruby `3.3.1` 2024-06-10 13:28:11 -07:00
vendor/cache Bump rexml from 3.3.3 to 3.3.6 in the bundler group 2024-08-26 17:52:46 +00:00
.gitignore entitlements-gitrepo-auditor-plugin 2022-06-07 12:12:28 -04:00
.rubocop.yml upgrading to ruby `3.3.1` 2024-06-10 13:28:11 -07:00
.ruby-version upgrading to ruby `3.3.1` 2024-06-10 13:28:11 -07:00
Gemfile entitlements-gitrepo-auditor-plugin 2022-06-07 12:12:28 -04:00
Gemfile.lock Bump rexml from 3.3.3 to 3.3.6 in the bundler group 2024-08-26 17:52:46 +00:00
LICENSE add license 2022-06-07 10:31:33 -06:00
README.md docs fixes 2023-08-29 13:44:41 -06:00
entitlements-gitrepo-auditor-plugin.gemspec Bump the dev-ruby-dependencies group across 1 directory with 3 updates 2024-06-11 16:44:43 +00:00

README.md

entitlements-gitrepo-auditor-plugin

acceptance test lint build release codeql coverage style

entitlements-gitrepo-auditor-plugin is an entitlements-app plugin allowing further auditing capabilities in entitlements by writing each deploy log to a separate GitHub repo.

Usage

Your entitlements-app config config/entitlements.yaml runs through ERB interpretation automatically. You can extend your entitlements configuration to load plugins like so:

<%-
  unless ENV['CI_MODE']
    begin
      require_relative "/data/entitlements/lib/entitlements-and-plugins"
    rescue Exception
      begin
        require_relative "lib/entitlements-and-plugins"
      rescue Exception
        # We might not have the plugins installed and still want this file to be
        # loaded. Don't raise anything but silently fail.
      end
    end
  end
-%>

You can then define lib/entitlements-and-plugins like so:

#!/usr/bin/env ruby
# frozen_string_literal: true

ENV["BUNDLE_GEMFILE"] = File.expand_path("../../Gemfile", File.dirname(__FILE__))
require "bundler/setup"
require "entitlements"

# require entitlements plugins here
require "entitlements/auditor/gitrepo"
require "entitlements/util/gitrepo"

Any plugins defined in lib/entitlements-and-plugins will be loaded and used at entitlements-app runtime.

Features

Git Repo Auditing

You can add automatic auditing to a separate GitRepo by enabling the following entitlements.yaml config:

<%-
    # NOTE: GITREPO_SSH_KEY must be base64 encoded.
    sshkey = ENV.fetch("GITREPO_SSH_KEY")
    shipper = ENV.fetch("GIT_SHIPPER", "<unknown person>")
    what = ["entitlements", ENV.fetch("GIT_BRANCH", "<unknown branch>")].join("/")
    sha = ENV.fetch("GIT_SHA1", "<unknown sha>")
    url = "https://github.com/github/entitlements-config/commit/#{sha}"
    commit_message = "#{shipper} deployed #{what} (#{url})"
-%>
auditors:
  - auditor_class: GitRepo
    checkout_directory: <%= ENV["GITREPO_CHECKOUT_DIRECTORY"] %>
    commit_message: <%= commit_message %>
    git_name: GitRepoUser
    git_email: gitrepousers@users.noreply
    person_dn_format: uid=%KEY%,ou=People,dc=github,dc=net
    repo: github/entitlements-config-auditlog
    sshkey: '<%= sshkey %>'
<%- end -%>

At the end of each entitlements-app run, the entitlements-gitrepo-auditor-plugin will write a commit to the repo defined above with the details of the deployment.

Release 🚀

To release a new version of this Gem, do the following:

  1. Update the version number in the lib/version.rb file
  2. Run bundle install to update the Gemfile.lock file with the new version
  3. Commit your changes, push them to GitHub, and open a PR

Once your PR is approved and the changes are merged, a new release will be created automatically by the release.yml workflow. The latest version of the Gem will be published to the GitHub Package Registry and RubyGems.