From f90ec2144cf1bd7dbf15f006ee9050bf3e968ddb Mon Sep 17 00:00:00 2001 From: Kyle Harding Date: Tue, 19 Dec 2023 12:13:22 -0500 Subject: [PATCH] BREAKING: Remove opt-in repo configuration Allowing Flowzone to make repo configuration changes via administrator tokens effectively grants any user with write permissions the ability to make admin changes. Repo configuration should be handled outside of the CI context where administrator permissions can be granted to a central authority only. This is a breaking change for repos that previously opted into these settings. This workflow will not run unless the calling workflow omits the related inputs. Change-type: major Signed-off-by: Kyle Harding --- .github/workflows/flowzone.yml | 153 --------------------------------- .github/workflows/tests.yml | 2 - README.md | 75 ---------------- flowzone.yml | 151 -------------------------------- 4 files changed, 381 deletions(-) diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml index aea4e7860..17cecf4ed 100644 --- a/.github/workflows/flowzone.yml +++ b/.github/workflows/flowzone.yml @@ -204,81 +204,6 @@ on: type: boolean required: false default: false - repo_config: - description: Set to true to standardise repository settings after a successful run - type: boolean - required: false - default: false - repo_allow_forking: - description: Allow forking of an organization repository - type: boolean - required: false - default: true - repo_default_branch: - description: Set the default branch name for the repository - type: string - required: false - default: master - repo_delete_branch_on_merge: - description: Delete head branch when pull requests are merged - type: boolean - required: false - default: true - repo_allow_update_branch: - description: Always suggest updating pull request branches - type: boolean - required: false - default: true - repo_description: - description: Description of the repository - type: string - required: false - default: "" - repo_homepage: - description: Repository home page URL - type: string - required: false - default: "" - repo_enable_auto_merge: - description: Enable auto-merge functionality - type: boolean - required: false - default: true - repo_enable_issues: - description: Enable issues in the repository - type: boolean - required: false - default: true - repo_enable_merge_commit: - description: Enable merging pull requests via merge commit - type: boolean - required: false - default: true - repo_enable_projects: - description: Enable projects in the repository - type: boolean - required: false - default: false - repo_enable_rebase_merge: - description: Enable merging pull requests via rebase - type: boolean - required: false - default: false - repo_enable_squash_merge: - description: Enable merging pull requests via squashed commit - type: boolean - required: false - default: false - repo_enable_wiki: - description: Enable wiki in the repository - type: boolean - required: false - default: false - repo_visibility: - description: Change the visibility of the repository to {public,private,internal} - type: string - required: false - default: default disable_versioning: description: Set to true to disable automatic versioning type: boolean @@ -4415,84 +4340,6 @@ jobs: fi echo "::notice::Branch protection rules have been updated" - repo_config: - name: Apply repo settings - runs-on: ${{ fromJSON(inputs.runs_on) }} - timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }} - needs: - - versioned_source - if: | - github.event.pull_request.merged == true && - inputs.repo_config == true - steps: - - name: Generate GitHub App installation token - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a - continue-on-error: true - id: gh_app_token - with: - app_id: ${{ inputs.app_id }} - installation_retrieval_mode: id - installation_retrieval_payload: ${{ inputs.installation_id }} - private_key: ${{ secrets.GH_APP_PRIVATE_KEY }} - permissions: |- - { - "administration": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' - - name: Configure repository - env: - GH_DEBUG: "true" - GH_PAGER: cat - GH_PROMPT_DISABLED: "true" - GH_REPO: ${{ github.repository }} - GH_TOKEN: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }} - run: | - # only change repository visibility if explicitly set to one of the permissible values - visibility='' - if [[ '${{ inputs.repo_visibility }}' =~ private|public|internal ]]; then - gh repo edit '${{ github.repository }}' \ - --visibility '${{ inputs.repo_visibility }}' || true - fi - - if [[ -n '${{ inputs.repo_description }}' ]]; then - gh repo edit '${{ github.repository }}' \ - --description '${{ inputs.repo_description }}' - fi - - if [[ -n '${{ inputs.repo_homepage }}' ]]; then - homepage='${{ inputs.repo_homepage }}' - elif [[ -n '${{ inputs.cloudflare_website }}' ]]; then - homepage='https://${{ inputs.cloudflare_website }}.pages.dev' - else - homepage='' - fi - [[ -n "${homepage}" ]] && gh repo edit '${{ github.repository }}' \ - --homepage "${homepage}" - - # HTTP 422: This organization does not allow private repository forking - if ! gh repo edit '${{ github.repository }}' \ - --allow-forking=${{ inputs.repo_allow_forking }}; then - echo '::warning::Failed to configure some repository settings.' - fi - - # FIXME: https://github.com/cli/cli/issues/6652#issuecomment-1323908232 - gh repo edit '${{ github.repository }}' \ - --default-branch=${{ inputs.repo_default_branch }} \ - --delete-branch-on-merge=${{ inputs.repo_delete_branch_on_merge }} \ - --enable-auto-merge=${{ inputs.repo_enable_auto_merge }} \ - --enable-issues=${{ inputs.repo_enable_issues }} \ - --enable-merge-commit=${{ inputs.repo_enable_merge_commit }} \ - --enable-projects=${{ inputs.repo_enable_projects }} \ - --enable-rebase-merge=${{ inputs.repo_enable_rebase_merge }} \ - --enable-squash-merge=${{ inputs.repo_enable_squash_merge }} \ - --enable-wiki=${{ inputs.repo_enable_wiki }} - - # allow_update_branch not currently available for update via gh-cli - gh api --method PATCH '/repos/${{ github.repository }}' \ - -H "Accept: application/vnd.github+json" \ - -F allow_update_branch='${{ inputs.repo_allow_update_branch }}' all_tests: name: All tests runs-on: ${{ fromJSON(inputs.runs_on) }} diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index c0535fa41..ff313f2b6 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -24,8 +24,6 @@ jobs: secrets: inherit with: working_directory: ./tests - repo_config: true - repo_description: "Reusable, opinionated, zero-conf workflows for GitHub actions" docker_images: | ghcr.io/product-os/flowzone balena_slugs: | diff --git a/README.md b/README.md index 9af9e9c5c..3f91e831c 100644 --- a/README.md +++ b/README.md @@ -291,81 +291,6 @@ jobs: # Required: false pseudo_terminal: false - # Set to true to standardise repository settings after a successful run - # Type: boolean - # Required: false - repo_config: false - - # Allow forking of an organization repository - # Type: boolean - # Required: false - repo_allow_forking: true - - # Set the default branch name for the repository - # Type: string - # Required: false - repo_default_branch: master - - # Delete head branch when pull requests are merged - # Type: boolean - # Required: false - repo_delete_branch_on_merge: true - - # Always suggest updating pull request branches - # Type: boolean - # Required: false - repo_allow_update_branch: true - - # Description of the repository - # Type: string - # Required: false - repo_description: - - # Repository home page URL - # Type: string - # Required: false - repo_homepage: - - # Enable auto-merge functionality - # Type: boolean - # Required: false - repo_enable_auto_merge: true - - # Enable issues in the repository - # Type: boolean - # Required: false - repo_enable_issues: true - - # Enable merging pull requests via merge commit - # Type: boolean - # Required: false - repo_enable_merge_commit: true - - # Enable projects in the repository - # Type: boolean - # Required: false - repo_enable_projects: false - - # Enable merging pull requests via rebase - # Type: boolean - # Required: false - repo_enable_rebase_merge: false - - # Enable merging pull requests via squashed commit - # Type: boolean - # Required: false - repo_enable_squash_merge: false - - # Enable wiki in the repository - # Type: boolean - # Required: false - repo_enable_wiki: false - - # Change the visibility of the repository to {public,private,internal} - # Type: string - # Required: false - repo_visibility: default - # Set to true to disable automatic versioning # Type: boolean # Required: false diff --git a/flowzone.yml b/flowzone.yml index 408d677e0..8a95dfae0 100644 --- a/flowzone.yml +++ b/flowzone.yml @@ -903,81 +903,6 @@ on: type: boolean required: false default: false - repo_config: - description: "Set to true to standardise repository settings after a successful run" - type: boolean - required: false - default: false - repo_allow_forking: - description: "Allow forking of an organization repository" - type: boolean - required: false - default: true - repo_default_branch: - description: "Set the default branch name for the repository" - type: string - required: false - default: master - repo_delete_branch_on_merge: - description: "Delete head branch when pull requests are merged" - type: boolean - required: false - default: true - repo_allow_update_branch: - description: "Always suggest updating pull request branches" - type: boolean - required: false - default: true - repo_description: - description: "Description of the repository" - type: string - required: false - default: "" - repo_homepage: - description: "Repository home page URL" - type: string - required: false - default: "" - repo_enable_auto_merge: - description: "Enable auto-merge functionality" - type: boolean - required: false - default: true - repo_enable_issues: - description: "Enable issues in the repository" - type: boolean - required: false - default: true - repo_enable_merge_commit: - description: "Enable merging pull requests via merge commit" - type: boolean - required: false - default: true - repo_enable_projects: - description: "Enable projects in the repository" - type: boolean - required: false - default: false - repo_enable_rebase_merge: - description: "Enable merging pull requests via rebase" - type: boolean - required: false - default: false - repo_enable_squash_merge: - description: "Enable merging pull requests via squashed commit" - type: boolean - required: false - default: false - repo_enable_wiki: - description: "Enable wiki in the repository" - type: boolean - required: false - default: false - repo_visibility: - description: "Change the visibility of the repository to {public,private,internal}" - type: string - required: false - default: default disable_versioning: description: "Set to true to disable automatic versioning" type: boolean @@ -3888,82 +3813,6 @@ jobs: echo "::notice::Branch protection rules have been updated" - ################################################### - ## configure standard repository settings - ################################################### - - repo_config: - name: Apply repo settings - runs-on: ${{ fromJSON(inputs.runs_on) }} - timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }} - needs: - - versioned_source - if: | - github.event.pull_request.merged == true && - inputs.repo_config == true - steps: - - <<: *getGitHubAppToken - with: - <<: *getGitHubAppTokenWith - # admin permission is required modify repo config - permissions: >- - { - "administration": "write", - "contents": "read", - "metadata": "read" - } - repositories: '[ "${{ github.event.pull_request.base.repo.name }}" ]' - - - name: Configure repository - env: - <<: *gitHubCliEnvironment - GH_TOKEN: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }} - run: | - # only change repository visibility if explicitly set to one of the permissible values - visibility='' - if [[ '${{ inputs.repo_visibility }}' =~ private|public|internal ]]; then - gh repo edit '${{ github.repository }}' \ - --visibility '${{ inputs.repo_visibility }}' || true - fi - - if [[ -n '${{ inputs.repo_description }}' ]]; then - gh repo edit '${{ github.repository }}' \ - --description '${{ inputs.repo_description }}' - fi - - if [[ -n '${{ inputs.repo_homepage }}' ]]; then - homepage='${{ inputs.repo_homepage }}' - elif [[ -n '${{ inputs.cloudflare_website }}' ]]; then - homepage='https://${{ inputs.cloudflare_website }}.pages.dev' - else - homepage='' - fi - [[ -n "${homepage}" ]] && gh repo edit '${{ github.repository }}' \ - --homepage "${homepage}" - - # HTTP 422: This organization does not allow private repository forking - if ! gh repo edit '${{ github.repository }}' \ - --allow-forking=${{ inputs.repo_allow_forking }}; then - echo '::warning::Failed to configure some repository settings.' - fi - - # FIXME: https://github.com/cli/cli/issues/6652#issuecomment-1323908232 - gh repo edit '${{ github.repository }}' \ - --default-branch=${{ inputs.repo_default_branch }} \ - --delete-branch-on-merge=${{ inputs.repo_delete_branch_on_merge }} \ - --enable-auto-merge=${{ inputs.repo_enable_auto_merge }} \ - --enable-issues=${{ inputs.repo_enable_issues }} \ - --enable-merge-commit=${{ inputs.repo_enable_merge_commit }} \ - --enable-projects=${{ inputs.repo_enable_projects }} \ - --enable-rebase-merge=${{ inputs.repo_enable_rebase_merge }} \ - --enable-squash-merge=${{ inputs.repo_enable_squash_merge }} \ - --enable-wiki=${{ inputs.repo_enable_wiki }} - - # allow_update_branch not currently available for update via gh-cli - gh api --method PATCH '/repos/${{ github.repository }}' \ - -H "Accept: application/vnd.github+json" \ - -F allow_update_branch='${{ inputs.repo_allow_update_branch }}' - all_tests: name: All tests runs-on: ${{ fromJSON(inputs.runs_on) }}