Allow all versions of action

ActionsDesk / github-actions-allow-list-as-code-action

Automate GitHub Actions allow list for GitHub Enterprise Cloud accounts

MIT License

14 stars 6 forks source link

Allow all versions of action #93

Closed testersen closed 1 year ago

testersen commented 1 year ago

Hello,

I work in Telenor and we are using this action. I am wondering if it is possible to allow an action with any version.

I.e.

Our github-actions-allow-list.yml looks like:

actions:
  - ActionsDesk/github-actions-allow-list-as-code-action@v3.0.0
  - abc/abc@v1.2.3
  - def/def@v4.5.6

Is it also possible to allow an action like this?

  - OurPublicSlug/abc

Without having to provide the version? Or OurPublicSlug/abc@* (at star) to allow all?

Thanks, James.

testersen commented 1 year ago

@theztefan Would you know?

stoe commented 1 year ago

Is it also possible to allow an action like this?
  - OurPublicSlug/abc
Without having to provide the version? Or OurPublicSlug/abc@* (at star) to allow all?

@j4m350n, yes that is possible, and as you pointed out it needs to be OurPublicSlug/abc@* to work for all versions.

Only patterns documented under https://docs.github.com/en/enterprise-cloud@latest/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#allowing-select-actions-and-reusable-workflows-to-run are possible.

theztefan commented 1 year ago

Hey @j4m350n! As @stoe pointed out, technically, the feature (and therefore this Action) does allow * wildcard character which makes your request possible. Reference to wildcard matching

That being said, you would still want to check in and confirm your company policy allows this.

testersen commented 1 year ago

Thanks @stoe, this helps out! <3

@theztefan The actions I'd like to do this with is our own, but located in a different organization that is publicly available. I 100% agree with you that wildcards is a security risk for actions not owned by ourselves :)

Thanks for the quick replies!