access-groups

An action to help determine what groups a user belongs to.

This action does not create any GitHub entities or modify repositories.

Future releases may include a fail-if clause, which would act as a fast fail for that step or job.

Usage

- id: access
  uses: sudojunior/access-groups@main # or specific tag
  
- if: ${{ include(steps.access.outputs.groups, "repo collaborator") }}
  # only run if the user is a repo collaborator
  uses: actions/github-script@v4.0.2
  with:
    script: |
      await github.issues.createComment({
        issue_number: context.issue.number,
        body: "You're a collaborator on this repository!",
        owner: context.repo.owner,
        repo: context.repo.repo
      })

Arguments

GitHub Token {Future}

Will allow for scope use of context info like organization and sponsors (maybe...).

- id: groups
  uses: sudojunior/access-groups@main
  with:
    github-token: ${{ github.token }} # as default

Output

• groups is an array of access groups, as explained below.
• highest-group is the first element from groups.

Explaination of groups

GitHub has a set of adaptive groups that exist under the hood to control permissions per repository and organization.

It is worth noting that the data for the query to determine other groups is there, but may not implemented yet.

Access groups

• site admin = Covers both public deployment for GitHub Staff and Enterprise Deployment
• repo owner -> site admin = (If under user scope) is current actor the owner of this repository?
• repo admin -> site admin = is current actor an admin of this repository?
• repo maintainer -> repo admin = is current actor a maintainer of this repository?
• repo triage -> repo maintainer = is current actor a member of the triage team in this repository?
• repo observer -> repo triage = is current actor an observer to this repository?
• bounty-hunter = is current actor a bounty hunter?
• campus-expert = is current actor a campus expert? (may include alumni)
• developer-program-member = is current actor a developer program member?

Future

• (Scope) Organization
  • Member (#8)
  • Repo Admin (#11)
  • Repo Maintainer (#12)
  • Repo Triage (#14)
  • Read / Observer (#20)
• (Scope) User
  • Follower (#26)
  • Campus Expert (#16)
  • Bounty Hunter (#17)
  • Developer Program Member (#18)
• (Scope) Repository
  • Stargazer (#25)
  • Repo Collaborator (#9)
  • Context Author {Issue / PR / Discussion?} (#15)
  • Repo Contributor (#27)
• Sponsor {User / Organization} (#19)

Distant Future

Using GraphQL notation, instead of group identifiers.

• isEmployee = Checks if the actor is a GitHub Employee
• isHireable = Checks if the actor is Hireable
• isGitHubStar = Checks if the actor is part of the GitHub Star program
• repositoriesContributedTo = Checks if the actor has contributed to any repositories *other than their own, unless specified. (quantity required - first or last)

---

• Organization Team Member (wildcard)
  Contains child teams, and team roles (MAINTAINER, MEMBER)
  (Dangerous recursion with child teams)

Contributors

Dependabot 🚧 🛡️

Packages

• actions/toolkit - API and Actions wrapper
• VSCode - Preferred editor
• xo && ava - CI linting and testing
• @vercel/ncc - Build process

Known Issues

• Any file matching to ./tests/**/*.ts has a warning exactly like the one below, it is unknown as to why this is happening - but it does not affect the build process.

  Parsing error: "parserOptions.project" has been set for @typescript-eslint/parser.
  The file does not match your project config: tests\main.test.ts.
  The file must be included in at least one of the projects provided.

Future consideration

• Complete Security Checklist

User / Repo context override (via argument)

Currenly open in #22

- uses: sudojunior/access-groups@main
  with:
    user: ${{ github.actor }} # as default
    repo: ${{ github.repository }} # as default