Automate GitHub Actions allow list for GitHub Enterprise accounts
name: Deploy GitHub Actions allow list
on:
push:
branches: [main]
paths: [github-actions-allow-list.yml]
jobs:
deploy:
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Checkout
uses: actions/checkout@v2.3.4
- name: Setup node
uses: actions/setup-node@v2.1.5
with:
node-version: 14.x
- name: Deploy GitHub Actions allow list
uses: ActionsDesk/github-actions-allow-list-as-code-action@v1.1.2
with:
token: ${{ secrets.ENTERPRISE_ADMIN_TOKEN }}
enterprise: 'your-enterprise'
# same as defined under `on.pull_requests.paths`
allow_list_path: github-actions-allow-list.yml
# gh_api_url: 'https://github.example.com/api/v3' # Only required for GitHub Enterprise Server
Name | Description | Default | Required |
---|---|---|---|
token |
GitHub Personal Access Token (PAT) with admin:enterprise or admin:org scope |
true |
|
organization |
GitHub organization slug | false |
|
enterprise |
GitHub Enterprise account slug | false |
|
allow_list_path |
Path to the GitHub Actions allow list YML within the repository | github-actions-allow-list.yml |
false |
gh_api_url |
GitHub Enterprise Servier - URL to the GitHub API endpoint. Example: https://github.example.com/api/v3. |
https://api.github.com |
false |
ℹ️ Notes for providing enterprise
or organization
:
- Either provide
enterprise
to update the GitHub Enterprise Cloud's actions allow list, ororganization
to update a single organization's allow list. - Providing both will result in the action run failing with
Please provide only one of: enterprise, organization
. - If providing
organization
, but the allow list is handled via GitHub Enterprise Cloud's actions allow list, the action run will fail withSelected actions are already set at the enterprise level
.
Example content for Allow List file containing actions:
key and list with two allowed actions.
actions:
- actionsdesk/github-actions-allow-list-as-code-action@v1.1.2
- hashicorp/vault-action@v2.4.0