feat: validate GitHub App permissions via API and add tests #70
Conversation
- Use `octokit.rest.users.getByUsername` to determine actor type (`User` or `Bot`) - Fetch GitHub App installation details with `octokit.rest.apps.getRepoInstallation` for permission validation. - Ensure GitHub Apps have `"issues"` permission set to `"write"` before allowing execution. - Add test cases for GitHub App actors
|
In the context of the https://github.com/MorphoCloud/MorphoCloudWorkflow project, it would be very convenient to allow triggering workflow after our dedicated GitHub App user comment1 on issue. Despite of being added to the
Footnotes |
|
@jcfr Thank you for this! 🚀 I can see right away how this could be useful. Pretty much how I build these Actions is always allowing for users to toggle on/off features like this so I pushed a commit to add a new I also did the following:
|
|
@jcfr I think these changes should be good to merge in shortly. Could I ask that you briefly fill out some docs around using GitHub Apps with this Action so that others who want to do the same have a bit of info/context to go off of? I created a new doc here for you to add some notes. Thank you! |
|
Also, for testing you could likely point a previous using of For example you could do: - uses: jcfr/command@support-granting-permission-to-bot-userand that should work by using this branch |
|
Thanks for both the quick review and for bringing this patch to the next level 🙏 🚀 Adding support for
I will test in the morning and report back.
I will do so. Thanks for the suggestion. |
|
At first, I observed the following:
Then, I explicitly associated the token retrieved from the Github App with the
I am wondering if I should grant additional permission to the GitHub App .. |
| } | ||
|
|
||
| // Fetch installation details for the GitHub App | ||
| const installationRes = await octokit.rest.apps.getRepoInstallation({ |
There was a problem hiding this comment.
@jcfr I think that perhaps we are going about this the wrong way. The octokit.rest.apps.getRepoInstallation() method expects to be called from an authenticated GitHub App client. This isn't really what you likely want as then you have to pass in the same credentials of the GitHub App into the github/command Action.
That would be unnecessary as you are only trying to check to see if the GitHub App has proper permissions to interact with this repo in the same way that the Action checks if Users have the correct permissions.
I should have caught this earlier as a different approach will need to be taken.
I feel like there certainly has to be a way to check the permissions of a GitHub App on a repo without having to authenticate as the GitHub App itself but I don't know off the top of my head 🤔.
There was a problem hiding this comment.
Doing a very brief search I don't see anything jumping out to me right away to see if it is possible to figure out if a GitHub App has "proper permissions" to interact with a repository in this sense.
Note: I did not do an extensive search
If it turns out that there isn't a solid way to check the permissions of a GitHub App without directly authenticating as it, you might have to get creative here.
Some potential ideas could be a new input called: allowed_github_apps: monalisa[bot],someother[bot]. Then users would simply configure an explicit allowlist of GitHub Apps that they trust and be able to invoke workflows using the github/command Action.
Just a thought.. might have to go low tech to get this to work.
There was a problem hiding this comment.
Thanks for following up and for looking into ways of addressing this 🙏
I feel like there certainly has to be a way to check the permissions of a GitHub App on a repo without having to authenticate as the GitHub App itself
Ditto. That would be ideal.
If it turns out that there isn't a solid way to check the permissions of a GitHub App without directly authenticating as it, you might have to get creative here.
Some potential ideas could be a new input called:allowed_github_apps:monalisa[bot],someother[bot]. Then users would simply configure an explicit allowlist of GitHub Apps that they trust and be able to invoke workflows using the github/command Action.
That seems reasonable.
And this could be done by either explicitly passing my-awesome[bot] or by using the app-slug output of the actions/create-github-app-token action.
- uses: actions/create-github-app-token@0d564482f06ca65fa9e77e2510873638c82206f2 # v1.11.5
id: app-token
with:
app-id: ${{ vars.MY_AWESOME_WORKFLOW_APP_ID }}
private-key: ${{ secrets.MY_AWESOME_WORKFLOW_APP_PRIVATE_KEY }}
- name: awesome command
id: awesome_command
uses: github/command@vX.Y.Z
with:
command: "/awesome"
reaction: "rocket"
allowed_contexts: "issue"
permissions: "read,triage,write,maintain,admin"
allowlist:
"${{ steps.app-token.outputs.app-slug }}[bot]"There was a problem hiding this comment.
I think explicitly passing my-awesome[bot] would be the best way to do so as not everyone would be using the app slug in combination with the actions/create-github-app-token job.
This seems like the best way forward to me.
There was a problem hiding this comment.
I think explicitly passing
my-awesome[bot][...] best way
I started updating the PR this weekend and I will try to get that finalized asap.
Thanks for the patience :pray
octokit.rest.users.getByUsernameto determine actor type (UserorBot)octokit.rest.apps.getRepoInstallationfor permission validation."issues"permission set to"write"before allowing execution.