Automate GitHub Actions allow list for GitHub Enterprise accounts
name: Deploy GitHub Actions allow list
on:
push:
branches: [main]
paths: [github-actions-allow-list.yml]
jobs:
deploy:
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Checkout
uses: actions/checkout@v2.3.4
- name: Setup node
uses: actions/setup-node@v2.1.5
with:
node-version: 14.x
- name: Deploy GitHub Actions allow list
uses: ActionsDesk/github-actions-allow-list-as-code-action@v1.1.2
with:
token: ${{ secrets.ENTERPRISE_ADMIN_TOKEN }}
enterprise: 'your-enterprise'
# same as defined under `on.pull_requests.paths`
allow_list_path: github-actions-allow-list.yml
# gh_api_url: 'https://github.example.com/api/v3' # Only required for GitHub Enterprise Server
Name | Description | Default | Required |
---|---|---|---|
token |
GitHub Personal Access Token (PAT) with admin:enterprise or admin:org scope |
true |
|
organization |
GitHub organization slug | false |
|
enterprise |
GitHub Enterprise account slug | false |
|
allow_list_path |
Path to the GitHub Actions allow list YML within the repository | github-actions-allow-list.yml |
false |
gh_api_url |
GitHub Enterprise Servier - URL to the GitHub API endpoint. Example: https://github.example.com/api/v3. |
https://api.github.com |
false |
ℹ️ Notes for providing enterprise
or organization
:
enterprise
to update the GitHub Enterprise Cloud's actions allow list, or organization
to update a single organization's allow list.Please provide only one of: enterprise, organization
.organization
, but the allow list is handled via GitHub Enterprise Cloud's actions allow list, the action run will fail with Selected actions are already set at the enterprise level
.Example content for Allow List file containing actions:
key and list with two allowed actions.
actions:
- actionsdesk/github-actions-allow-list-as-code-action@v1.1.2
- hashicorp/vault-action@v2.4.0