From 32c9193904f8d5046b87f9a51295f0f7d2c577e8 Mon Sep 17 00:00:00 2001 From: Zeke Sikelianos Date: Wed, 7 Oct 2020 11:59:10 -0700 Subject: [PATCH 1/4] fix tests for Actions AllowList --- tests/unit/actions-workflows.js | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/tests/unit/actions-workflows.js b/tests/unit/actions-workflows.js index 872e0adf986f..5c02f719b7a8 100644 --- a/tests/unit/actions-workflows.js +++ b/tests/unit/actions-workflows.js @@ -19,17 +19,23 @@ function actionsUsedInWorkflow (workflow) { .map(key => get(workflow, key)) } +const allUsedActions = chain(workflows) + .map(actionsUsedInWorkflow) + .flatten() + .uniq() + .sort() + .value() + describe('GitHub Actions workflows', () => { - test('only use allowed actions from ./github/allow-actions.json', async () => { - const allUsedActions = chain(workflows) - .map(actionsUsedInWorkflow) - .flatten() - .uniq() - .sort() - .value() + test('all used actions are allowed in .github/allowed-actions.j', () => { + expect(allUsedActions.length).toBeGreaterThan(0) + const unusedActions = difference(allowedActions, allUsedActions) + expect(unusedActions).toEqual([]) + }) + test('all allowed actions by .github/allowed-actions.js are used by at least one workflow', () => { expect(allowedActions.length).toBeGreaterThan(0) - expect(allUsedActions.length).toBeGreaterThan(0) - expect(difference(allowedActions, allUsedActions)).toEqual([]) + const disallowedActions = difference(allUsedActions, allowedActions) + expect(disallowedActions).toEqual([]) }) }) From 50b96d2f651d8ccb26ed1f10c2d3d3797b475828 Mon Sep 17 00:00:00 2001 From: Zeke Sikelianos Date: Wed, 7 Oct 2020 12:00:56 -0700 Subject: [PATCH 2/4] add more allowed actions --- .github/allowed-actions.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/allowed-actions.js b/.github/allowed-actions.js index f9ce4ab37005..4862b44ad22d 100644 --- a/.github/allowed-actions.js +++ b/.github/allowed-actions.js @@ -8,12 +8,14 @@ module.exports = [ 'actions/cache@v2', 'actions/checkout@v2', 'actions/github-script@0.9.0', + 'actions/github-script@v2.0.0', 'actions/github-script@v2', 'actions/github-script@v3', 'actions/labeler@v2', 'actions/setup-node@v1', 'actions/setup-ruby@v1', 'actions/stale@v3', + 'andymckay/labeler@1.0.2', 'dawidd6/action-delete-branch@v3', 'docker://chinthakagodawita/autoupdate-action:v1', 'github/codeql-action/analyze@v1', @@ -22,6 +24,7 @@ module.exports = [ 'juliangruber/approve-pull-request-action@v1', 'juliangruber/find-pull-request-action@v1', 'juliangruber/read-file-action@v1', + 'konradpabjan/actions-add-new-issue-to-column@v1.1', 'pascalgn/automerge-action@135f0bdb927d9807b5446f7ca9ecc2c51de03c4a', 'peter-evans/create-issue-from-file@v2', 'peter-evans/create-pull-request@v2', From da0ad48cf3c7c06ca91def3ae2c69a93b3384c0f Mon Sep 17 00:00:00 2001 From: Zeke Sikelianos Date: Wed, 7 Oct 2020 12:44:16 -0700 Subject: [PATCH 3/4] Update tests/unit/actions-workflows.js Co-authored-by: Tom Jenkinson --- tests/unit/actions-workflows.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/unit/actions-workflows.js b/tests/unit/actions-workflows.js index 5c02f719b7a8..614f558e834f 100644 --- a/tests/unit/actions-workflows.js +++ b/tests/unit/actions-workflows.js @@ -27,7 +27,7 @@ const allUsedActions = chain(workflows) .value() describe('GitHub Actions workflows', () => { - test('all used actions are allowed in .github/allowed-actions.j', () => { + test('all used actions are allowed in .github/allowed-actions.js', () => { expect(allUsedActions.length).toBeGreaterThan(0) const unusedActions = difference(allowedActions, allUsedActions) expect(unusedActions).toEqual([]) From 16d3d7543f867e1719d58eed598ed4208e5ccdcd Mon Sep 17 00:00:00 2001 From: Zeke Sikelianos Date: Wed, 7 Oct 2020 15:15:29 -0700 Subject: [PATCH 4/4] Update allowed-actions.js --- .github/allowed-actions.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/allowed-actions.js b/.github/allowed-actions.js index 4862b44ad22d..a58a6a578d28 100644 --- a/.github/allowed-actions.js +++ b/.github/allowed-actions.js @@ -15,7 +15,6 @@ module.exports = [ 'actions/setup-node@v1', 'actions/setup-ruby@v1', 'actions/stale@v3', - 'andymckay/labeler@1.0.2', 'dawidd6/action-delete-branch@v3', 'docker://chinthakagodawita/autoupdate-action:v1', 'github/codeql-action/analyze@v1', @@ -24,10 +23,11 @@ module.exports = [ 'juliangruber/approve-pull-request-action@v1', 'juliangruber/find-pull-request-action@v1', 'juliangruber/read-file-action@v1', - 'konradpabjan/actions-add-new-issue-to-column@v1.1', 'pascalgn/automerge-action@135f0bdb927d9807b5446f7ca9ecc2c51de03c4a', 'peter-evans/create-issue-from-file@v2', 'peter-evans/create-pull-request@v2', + 'rachmari/actions-add-new-issue-to-column@v1.1.1', + 'rachmari/labeler@v1.0.4', 'repo-sync/github-sync@v2', 'repo-sync/pull-request@v2', 'rtCamp/action-slack-notify@master',