Skip to content

This repository is meant to hold the setup for requesting actions to be used internally

License

Notifications You must be signed in to change notification settings

rajbos/github-actions-requests

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

GitHub Actions Requests

This repository is meant to hold the setup for requesting actions to be used internally, for example together with the Internal Actions Marketplace.

Process description

  1. User creates a new issue in this repo
  2. The review team gets a notification about the new issue (using this action: issue-comment-tag)
  3. After manual review, the review team labels the issue with security-check
  4. The workflow Issue labeled security scan is triggered, executing several automated checks.
  5. The results of all the checks are added back into the request issue.
  6. After reviewing the results and approving them, the action repo can be forked into your actions organization and users can start using them.

Video explanation

YouTube Link

Checks

Currently we run the following checks:

  • Has the repo been setup with a CodeQL workflow?
  • Has the repo been configured with Dependabot updates?
  • If we fork the repo and enable Dependabot, do we get Security Alerts?
  • If we fork the repo and enable CodeQL, do we get Security Alerts?
  • If the action uses a container, we run a Trivy scan and check the alerts.

Configuration

For configuration of the workflows in this repository, we use the following secrets:

Name Example value Description
ACTIONS_STEP_DEBUG true Get additional debugging logs in Actions
GH_TOKEN ghp_***************** GitHub Token with enough access to fork the repos into a specific org

New issue setup

Whenever a new issue is added to this repo, the new-issue.yml workflow is triggered. For a description of what it does, check this blogpost.

These are the secrets that it uses:

Name Example value Description
PROJECT_ACCOUNT rajbos Account name under which the project is linked to
PROJECT_NUMBER 2 The number of the project
PROJECT_TOKEN ghp_***************** A token with access to add issues to the project

About

This repository is meant to hold the setup for requesting actions to be used internally

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published