docker/actions-toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

github: translate access controls permissions

Browse Source 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
This commit is contained in:
CrazyMax
2023-02-03 04:09:04 +01:00
parent ad59af8cf2
commit 3e2548a8ed
3 changed files with 40 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
__tests__/github.test.ts
View File

@@ -107,12 +107,12 @@ describe('actionsRuntimeToken', () => {
it('fixture', async () => {
process.env.ACTIONS_RUNTIME_TOKEN = fs.readFileSync(path.join(__dirname, 'fixtures', 'runtimeToken.txt')).toString().trim();
const runtimeToken = GitHub.actionsRuntimeToken;
expect(runtimeToken.ac).toEqual('[{"Scope":"refs/heads/master","Permission":3}]');
expect(runtimeToken.iss).toEqual('vstoken.actions.githubusercontent.com');
expect(runtimeToken?.ac).toEqual('[{"Scope":"refs/heads/master","Permission":3}]');
expect(runtimeToken?.iss).toEqual('vstoken.actions.githubusercontent.com');
});
});
describe('printActionsRuntimeToken', () => {
describe('printActionsRuntimeTokenACs', () => {
const originalEnv = process.env;
beforeEach(() => {
jest.resetModules();
@@ -126,18 +126,13 @@ describe('printActionsRuntimeToken', () => {
it('empty', async () => {
const execSpy = jest.spyOn(core, 'info');
process.env.ACTIONS_RUNTIME_TOKEN = '';
GitHub.printActionsRuntimeToken();
await GitHub.printActionsRuntimeTokenACs();
expect(execSpy).toHaveBeenCalledWith(`ACTIONS_RUNTIME_TOKEN not set`);
});
it('prints ac', () => {
it('refs/heads/master', async () => {
const execSpy = jest.spyOn(core, 'info');
process.env.ACTIONS_RUNTIME_TOKEN = fs.readFileSync(path.join(__dirname, 'fixtures', 'runtimeToken.txt')).toString().trim();
GitHub.printActionsRuntimeToken();
expect(execSpy).toHaveBeenCalledWith(`[
{
"Scope": "refs/heads/master",
"Permission": 3
}
]`);
await GitHub.printActionsRuntimeTokenACs();
expect(execSpy).toHaveBeenCalledWith(`refs/heads/master: read/write`);
});
});

36
src/github.ts
View File

@@ -20,7 +20,7 @@ import * as github from '@actions/github';
import {Context} from '@actions/github/lib/context';
import jwt_decode from 'jwt-decode';
import {GitHubActionsRuntimeToken, GitHubRepo} from './types/github';
import {GitHubActionsRuntimeToken, GitHubActionsRuntimeTokenAC, GitHubRepo} from './types/github';
export interface GitHubOpts {
token?: string;
@@ -49,17 +49,37 @@ export class GitHub {
return process.env.GITHUB_API_URL || 'https://api.github.com';
}
static get actionsRuntimeToken(): GitHubActionsRuntimeToken {
static get actionsRuntimeToken(): GitHubActionsRuntimeToken | undefined {
const token = process.env['ACTIONS_RUNTIME_TOKEN'] || '';
return token ? jwt_decode<GitHubActionsRuntimeToken>(token) : {};
return token ? jwt_decode<GitHubActionsRuntimeToken>(token) : undefined;
}
public static async printActionsRuntimeToken() {
const actionsRuntimeToken = process.env['ACTIONS_RUNTIME_TOKEN'];
if (actionsRuntimeToken) {
core.info(JSON.stringify(JSON.parse(GitHub.actionsRuntimeToken.ac as string), undefined, 2));
} else {
public static async printActionsRuntimeTokenACs() {
const jwt = GitHub.actionsRuntimeToken;
if (!jwt) {
core.info(`ACTIONS_RUNTIME_TOKEN not set`);
return;
}
try {
<Array<GitHubActionsRuntimeTokenAC>>JSON.parse(`${jwt.ac}`).forEach(ac => {
let permission: string;
switch (ac.Permission) {
case 1:
permission = 'read';
break;
case 2:
permission = 'write';
break;
case 3:
permission = 'read/write';
break;
default:
permission = `unimplemented (${ac.Permission})`;
}
core.info(`${ac.Scope}: ${permission}`);
});
} catch (e) {
core.warning(`Cannot parse Actions Runtime Token Access Controls: ${e.message}`);
}
}
}

5
src/types/github.ts
View File

@@ -29,3 +29,8 @@ export type GitHubRepo = OctoOpenApiTypes['schemas']['repository'];
export interface GitHubActionsRuntimeToken extends JwtPayload {
ac?: string;
}
export interface GitHubActionsRuntimeTokenAC {
Scope: string;
Permission: number;
}