├── test.sh ├── .gitignore ├── package.json ├── action.yaml ├── main.js ├── README.md └── LICENSE /test.sh: -------------------------------------------------------------------------------- 1 | # To test locally you will need these env vars set 2 | # remember to set them to proper values. 3 | export INPUT_GITHUB_TOKEN=$(gh auth token) 4 | export INPUT_TEAM=xxx 5 | export INPUT_ORG=xxx 6 | export INPUT_USERNAME=xxx 7 | export INPUT_MULTI_USER=false 8 | export INPUT_MULTI_DELIMITER=, 9 | export DEBUG=false 10 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Build and Release Folders 2 | bin-debug/ 3 | bin-release/ 4 | [Oo]bj/ 5 | [Bb]in/ 6 | node_modules 7 | dist/ 8 | 9 | # Other files and folders 10 | .settings/ 11 | 12 | # Executables 13 | *.swf 14 | *.air 15 | *.ipa 16 | *.apk 17 | 18 | # Project files, i.e. `.project`, `.actionScriptProperties` and `.flexProperties` 19 | # should NOT be excluded as they contain compiler settings and other important 20 | # information for Eclipse / Flash Builder. 21 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "actions-authorized-users", 3 | "version": "1.0.0", 4 | "description": "Checks to see if a users is in a whitelist or github team", 5 | "dependencies": { 6 | "@actions/core": "^1.10.1", 7 | "@actions/github": "^6.0.0", 8 | "@octokit/rest": "^20.0.2", 9 | "@vercel/ncc": "^0.38.1" 10 | }, 11 | "main": "main.js", 12 | "scripts": { 13 | "test": "echo \"Error: no test specified\" && exit 1" 14 | }, 15 | "repository": { 16 | "type": "git", 17 | "url": "git+https://github.com/morfien101/actions-authorized-users.git" 18 | }, 19 | "keywords": [ 20 | "github", 21 | "action" 22 | ], 23 | "author": "Randy Coburn", 24 | "license": "Apache-2.0", 25 | "bugs": { 26 | "url": "https://github.com/morfien101/actions-authorized-users/issues" 27 | }, 28 | "homepage": "https://github.com/morfien101/actions-authorized-users#readme" 29 | } 30 | -------------------------------------------------------------------------------- /action.yaml: -------------------------------------------------------------------------------- 1 | name: "Authorized User Check" 2 | description: "Checks if a user or users is whitelisted or a member of a team." 3 | branding: 4 | icon: "user-check" 5 | color: "green" 6 | inputs: 7 | username: 8 | description: "The username or list of usernames to check" 9 | required: true 10 | team: 11 | description: "The team name to check" 12 | required: true 13 | org: 14 | description: "The organization to check" 15 | required: true 16 | whitelist: 17 | description: "The whitelist of users to allow. Comma separated list." 18 | required: true 19 | github_token: 20 | description: "The github token to use. Must have at least 'org:read' scope." 21 | required: true 22 | multi_user: 23 | description: "If true will check all users supplied in a list. Output will be a list ordered by the order of the input." 24 | required: false 25 | default: "false" 26 | multi_delimiter: 27 | description: "The delimiter to use for the multi_user input." 28 | required: false 29 | default: "," 30 | outputs: 31 | team_member: 32 | description: Is the user a member of the team? False if whitelisted as whitelisting takes priority. 33 | whitelisted: 34 | description: Is the user whitelisted? 35 | authorized: 36 | description: Is the user part of the whitelist or team? 37 | 38 | runs: 39 | using: "node20" 40 | main: "index.js" 41 | -------------------------------------------------------------------------------- /main.js: -------------------------------------------------------------------------------- 1 | const { Octokit } = require("@octokit/rest"); 2 | const core=require('@actions/core'); 3 | 4 | function debugLog(message) { 5 | if (process.env.DEBUG === 'true') { 6 | console.log(`DEBUG: ${message}`); 7 | } 8 | } 9 | 10 | function checkWhitelist(username, whitelist) { 11 | console.log("Checking whitelist of " + username) 12 | return whitelist.split(',').includes(username); 13 | } 14 | 15 | async function checkTeamMembership(github_token, username, org, team_slug) { 16 | console.log(`Checking team membership of ${username} in team ${team_slug}`) 17 | const octokit = new Octokit({ 18 | auth: github_token, 19 | }); 20 | 21 | try { 22 | debugLog("Checking membership via Github API") 23 | debugLog("org: " + org) 24 | debugLog("team_slug: " + team_slug) 25 | debugLog("username: " + username) 26 | const membership = await octokit.rest.teams.getMembershipForUserInOrg({ 27 | org, 28 | team_slug, 29 | username, 30 | }); 31 | 32 | debugLog("membership data: " + JSON.stringify(membership.data)) 33 | 34 | if (membership.data.state == 'active') { 35 | return true; 36 | } 37 | } catch (error) { 38 | if (error.status == 404) { 39 | console.log("404 - User " + username + " is not a member of team " + team_slug + " in org " + org) 40 | } 41 | if (error.status >= 500) { 42 | console.log("There was an error checking a team membership. This is likely a GitHub API error. Status code: " + error.status) 43 | console.log(JSON.stringify(error)) 44 | } 45 | return false 46 | } 47 | 48 | return false; 49 | } 50 | 51 | async function singleCheck(github_token, team_slug, org, username, whitelist) { 52 | console.log("Checking user '" + username + "' in org '" + org + "' in team '" + team_slug + "' or against whitelist '" + whitelist + "'") 53 | 54 | let whitelisted = false; 55 | let team_member = false; 56 | 57 | if ( whitelist !== '') { 58 | console.log("Checking whitelist") 59 | whitelisted = checkWhitelist(username, whitelist); 60 | } 61 | 62 | if ((!whitelisted) && (team_slug !== '')) { 63 | console.log("Checking team membership") 64 | let team_membership = await checkTeamMembership(github_token, username, org, team_slug) 65 | if (team_membership) { 66 | team_member = true; 67 | } 68 | } 69 | console.log("User whitelisted:" + whitelisted + ", team member: " + team_member); 70 | core.setOutput('team_member', team_member); 71 | core.setOutput('whitelisted', whitelisted); 72 | core.setOutput('authorized', ((team_member) || (whitelisted))); 73 | } 74 | 75 | async function multiCheck(github_token, team_slug, org, username, whitelist, multi_delimiter) { 76 | const users = username.split(multi_delimiter); 77 | let outputs = { 78 | authorized: [], 79 | team_member: [], 80 | whitelisted: [] 81 | }; 82 | for (let user of users) { 83 | debugLog(`Multi user mode: testing user ${user} in org ${org} in team '${team_slug}' or against whitelist '${whitelist}'`) 84 | let whitelisted = false; 85 | let team_member = false; 86 | 87 | if ( whitelist !== '') { 88 | whitelisted = checkWhitelist(user, whitelist) 89 | } 90 | if ((!whitelisted) && (team_slug !== '')) { 91 | let team_membership = await checkTeamMembership(github_token, user, org, team_slug) 92 | if (team_membership) { 93 | team_member = true; 94 | } 95 | } 96 | console.log("User " + user + " whitelisted:" + whitelisted + ", team member: " + team_member); 97 | outputs.authorized.push(((team_member) || (whitelisted))) 98 | outputs.team_member.push(team_member) 99 | outputs.whitelisted.push(whitelisted) 100 | } 101 | 102 | core.setOutput('team_member', outputs.team_member.join(',')); 103 | core.setOutput('whitelisted', outputs.whitelisted.join(',')); 104 | core.setOutput('authorized', outputs.authorized.join(',')); 105 | } 106 | 107 | 108 | async function run(){ 109 | github_token = core.getInput('github_token'); 110 | team_slug = core.getInput('team'); 111 | org = core.getInput('org'); 112 | username = core.getInput('username'); 113 | whitelist = core.getInput('whitelist'); 114 | multi_user = core.getInput('multi_user') == 'true' ? true : false; 115 | multi_delimiter = core.getInput('multi_delimiter'); 116 | 117 | debugLog("Inputs:") 118 | debugLog("github_token: " + github_token !== "" ? "set and REDACTED" : "not set") 119 | debugLog("team_slug: " + team_slug) 120 | debugLog("org: " + org) 121 | debugLog("username: " + username) 122 | debugLog("whitelist: " + whitelist) 123 | debugLog("multi_user: " + multi_user) 124 | debugLog("multi_delimiter: " + multi_delimiter) 125 | 126 | 127 | if (multi_user) { 128 | console.log("Multi user mode enabled") 129 | await multiCheck(github_token, team_slug, org, username, whitelist, multi_delimiter); 130 | } else { 131 | console.log("Single user mode enabled") 132 | await singleCheck(github_token, team_slug, org, username, whitelist); 133 | } 134 | } 135 | 136 | run().catch(err => { 137 | console.log(err); 138 | core.setFailed(err.message); 139 | }); -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # actions-authorized-user 2 | 3 | Checks to see if a user is a member of a team or supplied whitelist. 4 | Can also take a list of usernames to check. This allows you to count how many users are authorized. 5 | 6 | This is intended to be used on workflows where the scope is limited to a specific set of users or Github apps. 7 | The rights of the repo may not reflect the permissions required to run all actions. 8 | For instance, not all maintainers should be allowed to start a production deployment. 9 | Or of the users in a PR how many of them are in a group? 10 | 11 | Github Apps can not be part of teams, so they will need to be part of the whitelist. 12 | To make it easier to pass the list around, a comma separated list of users is used on the whitelist. 13 | You can store this with the repo itself. 14 | 15 | :warning: Beware a user with write permissions could update the whitelist file and grant themselves permissions to execute the job. 16 | However, you'll at least have a log in the commit history of this. 17 | 18 | ## Requirements 19 | 20 | Like all actions, it will need a github token to make calls to the API. 21 | The Token passed onto the action needs to have at least the `org:read` permission. 22 | 23 | ## Hierarchy of checks 24 | 25 | - Whitelist membership is checked before team membership. 26 | 27 | - If a user is part of the whitelist, no team membership is checked. 28 | 29 | ## Inputs 30 | 31 | | Name | Required | Default | Description | 32 | | ------------ | -------- | ------- | ----------------------------------------------------------------------- | 33 | | username | Y | N/A | The username(s) to check. Normally `${{ github.actor }}` | 34 | | team | Y | N/A | The name of the team that should be allowed. A blank team will skip a team check | 35 | | org | Y | N/A | The organization to test against. Normally `${{ github.repo_owner }}` | 36 | | whitelist | N | '' | Comma separated usernames. Intended for Github Apps or exception users. | 37 | | github_token | Y | N/A | Github token with at least `org:read` in the permissions. | 38 | | multi_user | N | false | Allows looking up multiple users in a single call. | 39 | | multi_delimiter | N | ',' | The delimiter of the usernames passed in. 40 | 41 | ## Outputs 42 | 43 | | Name | Description | 44 | | ----------- | --------------------------------------------------------- | 45 | | team_member | The username was found using a team lookup. | 46 | | whitelisted | The username was in the supplied whitelist. | 47 | | authorized | The username was in either the teams or whitelist lookup. | 48 | 49 | If a single user is checked, you will get back a single value in each output. 50 | If multiple users are checked, you will get back a list of values. The order is the same as the order of the users passed in. 51 | 52 | Example of a single lookup: 53 | 54 | ```yaml 55 | on: 56 | workflow_dispatch: 57 | 58 | jobs: 59 | runs-on: ubuntu-latest 60 | steps: 61 | - id: get_token 62 | run: | 63 | echo "Get the github token you want to use" 64 | echo "Or use a Github App and generate the token here" 65 | echo "github_token=gh_abc123" >> ${{ GITHUB_OUTPUTS }} 66 | 67 | - id: auth_check 68 | uses: morfien101/actions-authorized-user@v3 69 | with: 70 | username: ${{ github.actor }} 71 | org: ${{ github.repo_owner }} 72 | team: "release_team" 73 | whitelist: "app1_name[bot],app2_name[bot],mona_the_cat" 74 | github_token: ${{ steps.get_token.outputs.github_token }} 75 | 76 | 77 | # You can either use a if statement on the steps to see if they are allowed to run. 78 | - name: can use a if statement on jobs 79 | if: ${{ steps.auth_check.outputs.authorized }} 80 | run: | 81 | echo "Do cool stuff now as this user can run this workflow." 82 | 83 | # Or we can just check with a step like this which will error if the user is not authorized. 84 | # Everything after this will not be executed. 85 | - name: can continue 86 | run: | 87 | if [ ${{ steps.auth_check.outputs.authorized }} != "true" ]; then 88 | echo "::error title=User Unauthorized::User ${{ github.actor }} is not authorized to run this workflow!" 89 | exit 1 90 | fi 91 | 92 | # We are safe to continue 93 | - name: cool stuff 94 | run: | 95 | echo "Do cool stuff now as this user can run this workflow." 96 | ``` 97 | 98 | Example of a multi lookup: 99 | ```yaml 100 | steps: 101 | - id: get_token 102 | run: | 103 | echo "Get the github token you want to use" 104 | echo "Or use a Github App and generate the token here" 105 | echo "github_token=gh_abc123" >> ${{ GITHUB_OUTPUTS }} 106 | 107 | - name: Check list of users 108 | id: authorized_list 109 | uses: morfien101/actions-authorized-user@v3 110 | with: 111 | username: user1,user2,user3 112 | org: ${{ github.repo_owner }} 113 | team: "release_team" 114 | whitelist: "app1_name[bot],app2_name[bot],mona_the_cat" 115 | github_token: ${{ steps.get_token.outputs.github_token }} 116 | multi_user: true 117 | 118 | - name: How many passed 119 | id: enough_authorized 120 | shell: bash 121 | runs: | 122 | n_allowed=$(echo "${{ steps.authorized_list }}" | tr ',' '\n' | grep true | wc -l) 123 | if [ $n_allowed -gt 1 ]; then 124 | do_it="true" 125 | else 126 | do_it="false" 127 | fi 128 | 129 | echo "allowed=$do_it" >> ${{ GITHUB_OUTPUTS }} 130 | ``` 131 | 132 | ## Contributing 133 | 134 | For testing you will need some env vars set. You can find these in the test.sh file. 135 | For local testing there is a debug logger that you can use. Set the env value `DEBUG=true` to turn it on. 136 | 137 | Any changes to `main.js` has to follow a compilation step with `@vercel/ncc`. 138 | 139 | ```sh 140 | ncc build main.js 141 | 142 | # OR 143 | 144 | node_modules/@vercel/ncc/dist/ncc/cli.js build main.js 145 | ``` 146 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | --------------------------------------------------------------------------------