Automate GitHub Actions allow list for GitHub Enterprise accounts
name: Deploy GitHub Actions allow list
on:
push:
branches: [main]
paths: [github-actions-allow-list.yml]
jobs:
deploy:
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Checkout
uses: actions/checkout@v2.3.4
- name: Setup node
uses: actions/setup-node@v2.1.5
with:
node-version: 14.x
- name: Deploy GitHub Actions allow list
uses: ActionsDesk/github-actions-allow-list-as-code-action@v1.1.2
with:
token: ${{ secrets.ENTERPRISE_ADMIN_TOKEN }}
enterprise: 'your-enterprise'
# same as defined under `on.pull_requests.paths`
allow_list_path: github-actions-allow-list.yml
# gh_api_url: 'https://github.example.com/api/v3' # Only required for GitHub Enterprise Server| Name | Description | Default | Required |
|---|---|---|---|
token |
GitHub Personal Access Token (PAT) with admin:enterprise or admin:org scope |
true |
|
organization |
GitHub organization slug | false |
|
enterprise |
GitHub Enterprise account slug | false |
|
allow_list_path |
Path to the GitHub Actions allow list YML within the repository | github-actions-allow-list.yml |
false |
gh_api_url |
GitHub Enterprise Servier - URL to the GitHub API endpoint. Example: https://github.example.com/api/v3. |
https://api.github.com |
false |
ℹ️ Notes for providing enterprise or organization:
- Either provide
enterpriseto update the GitHub Enterprise Cloud's actions allow list, ororganizationto update a single organization's allow list. - Providing both will result in the action run failing with
Please provide only one of: enterprise, organization. - If providing
organization, but the allow list is handled via GitHub Enterprise Cloud's actions allow list, the action run will fail withSelected actions are already set at the enterprise level.
Example content for Allow List file containing actions: key and list with two allowed actions.
actions:
- actionsdesk/github-actions-allow-list-as-code-action@v1.1.2
- hashicorp/vault-action@v2.4.0