Skip to content

add a dryrun check #300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
scoopex wants to merge 11 commits into
base: main
Choose a base branch
from
Open

add a dryrun check #300

scoopex wants to merge 11 commits into from

Conversation

@scoopex
Copy link

@scoopex scoopex commented Oct 2, 2024

No description provided.

@scoopex
add a dryrun check
39a4f30 
Signed-off-by: Marc Schöchlin <schoechlin@osb-alliance.com>
@scoopex scoopex self-assigned this Oct 2, 2024
scoopex added 3 commits October 2, 2024 16:50
@scoopex
test
c9a6705 
Signed-off-by: Marc Schöchlin <schoechlin@osb-alliance.com>
@scoopex
add push
9e3883a 
Signed-off-by: Marc Schöchlin <schoechlin@osb-alliance.com>
@scoopex
add diff
68fef5e 
Signed-off-by: Marc Schöchlin <schoechlin@osb-alliance.com>
@scoopex scoopex requested a review from gtema October 2, 2024 15:44
scoopex added 3 commits October 2, 2024 17:47
@scoopex
Rename
7188de1 
Signed-off-by: Marc Schöchlin <schoechlin@osb-alliance.com>
@scoopex
Rename
acd334b 
Signed-off-by: Marc Schöchlin <schoechlin@osb-alliance.com>
@scoopex
Merge branch 'main' into dryrun_check
214b0b9
@scoopex
Copy link
Author

scoopex commented Oct 7, 2024

Hint: https://github.com/actions/create-github-app-token

garloff
garloff approved these changes Jan 17, 2025
View reviewed changes
Copy link
Member

@garloff garloff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, Marc

@garloff
Copy link
Member

garloff commented Jan 17, 2025

But the github workflows don't pass, so something is not working here yet.

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 1, 2025
View reviewed changes
.github/workflows/dryrun-manage-github-repositories.yml
steps:
- name: Check token permissions
run: |
if [ -z "${{ secrets[format('GHP_{0}', github.actor)] }}" ]; then

Check warning

Code scanning / CodeQL

Excessive Secrets Exposure Medium

All organization and repository secrets are passed to the workflow runner in
secrets[format('GHP_{0}', github.actor)]
Loading

Copilot Autofix

AI 24 days ago

General fix:
Eliminate dynamic secret access and explicitly declare which secrets are used by the workflow. For per-user tokens, enumerate each possible user as a build matrix with a conditional per-user environment variable selection.

Detailed fix:

  • Remove the use of secrets[format('GHP_{0}', github.actor)].
  • Instead, create a matrix in the job that lists allowed users (actors) and assigns the exact secret name for each one.
  • Use a conditional for each possible actor to set the API_TOKEN env variable specifically to the corresponding secret, for example: 
    env:
  API_TOKEN: ${{ secrets.GHP_ACTOR1 }}
  • Remove any unnecessary checking for whether the secret is present—GitHub will fail with a useful error if a required secret is missing.
  • Update the api_token variable in the ansible invocation to use this new env declaration.

File/region to change:
.github/workflows/dryrun-manage-github-repositories.yml

  • Replace the dynamic secret access in the relevant env sections with explicit per-actor/secret mapping.
Suggested changeset 1
.github/workflows/dryrun-manage-github-repositories.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/dryrun-manage-github-repositories.yml b/.github/workflows/dryrun-manage-github-repositories.yml
--- a/.github/workflows/dryrun-manage-github-repositories.yml
+++ b/.github/workflows/dryrun-manage-github-repositories.yml
@@ -15,16 +15,16 @@
 jobs:
   manage-github-repositories:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - actor: user1
+            api_token: ${{ secrets.GHP_USER1 }}
+          - actor: user2
+            api_token: ${{ secrets.GHP_USER2 }}
+          # Add additional users as needed
+    if: github.actor == matrix.actor
     steps:
-      - name: Check token permissions
-        run: |
-          if [ -z "${{ secrets[format('GHP_{0}', github.actor)] }}" ]; then
-            echo "No valid PAT found for ${{github.actor}}"
-            exit 1
-          else
-            echo "Found valid PAT for ${{github.actor}}"
-          fi
-
       - name: Checkout repo
         uses: actions/checkout@v3
         with:
@@ -50,4 +49,4 @@
         run: |
           pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff
         env:
-          API_TOKEN: ${{ secrets[format('GHP_{0}', github.actor)] }}
+          API_TOKEN: ${{ matrix.api_token }}
EOF
@@ -15,16 +15,16 @@
jobs:
manage-github-repositories:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- actor: user1
api_token: ${{ secrets.GHP_USER1 }}
- actor: user2
api_token: ${{ secrets.GHP_USER2 }}
# Add additional users as needed
if: github.actor == matrix.actor
steps:
- name: Check token permissions
run: |
if [ -z "${{ secrets[format('GHP_{0}', github.actor)] }}" ]; then
echo "No valid PAT found for ${{github.actor}}"
exit 1
else
echo "Found valid PAT for ${{github.actor}}"
fi

- name: Checkout repo
uses: actions/checkout@v3
with:
@@ -50,4 +49,4 @@
run: |
pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff
env:
API_TOKEN: ${{ secrets[format('GHP_{0}', github.actor)] }}
API_TOKEN: ${{ matrix.api_token }}
Copilot is powered by AI and may make mistakes. Always verify output.
.github/workflows/dryrun-manage-github-repositories.yml
run: |
pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff
env:
API_TOKEN: ${{ secrets[format('GHP_{0}', github.actor)] }}

Check warning

Code scanning / CodeQL

Excessive Secrets Exposure Medium

All organization and repository secrets are passed to the workflow runner in
secrets[format('GHP_{0}', github.actor)]
Loading

Copilot Autofix

AI 24 days ago

To fix the problem, we must avoid dynamically accessing secrets at runtime. Instead, explicitly define input variables or secrets for each possible value of ${{ github.actor }}. This ensures that only the secrets that are needed are passed to the workflow runner.

The best approach is to create a job matrix for each supported actor, and, for each one, pass the correct secret explicitly in the job's env section. For demonstration, if you have a limited set of possible actors (e.g., user1 and user2), you can write two jobs that are conditionally run only for the respective actor by using the if field, and reference the relevant secret explicitly with secrets.GHP_user1 and secrets.GHP_user2.

In practice:

  • For each actor who should have a specific PAT, add a job or a step guarded by if: github.actor == 'actorname'.
  • Set API_TOKEN: ${{ secrets.GHP_actorname }}.

If there are many actors, you will need to enumerate each one explicitly. If that is not feasible, you should reconsider the workflow design, as dynamic secret access is fundamentally prohibited for security.

Required changes:

  • Remove dynamic secret access in lines 21 and 53.
  • Replace with explicit secret references for each allowed actor, using conditionals.
Suggested changeset 1
.github/workflows/dryrun-manage-github-repositories.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/dryrun-manage-github-repositories.yml b/.github/workflows/dryrun-manage-github-repositories.yml
--- a/.github/workflows/dryrun-manage-github-repositories.yml
+++ b/.github/workflows/dryrun-manage-github-repositories.yml
@@ -16,15 +16,26 @@
   manage-github-repositories:
     runs-on: ubuntu-latest
     steps:
-      - name: Check token permissions
+      - name: Check token permissions for user1
+        if: github.actor == 'user1'
         run: |
-          if [ -z "${{ secrets[format('GHP_{0}', github.actor)] }}" ]; then
-            echo "No valid PAT found for ${{github.actor}}"
+          if [ -z "${{ secrets.GHP_user1 }}" ]; then
+            echo "No valid PAT found for user1"
             exit 1
           else
-            echo "Found valid PAT for ${{github.actor}}"
+            echo "Found valid PAT for user1"
           fi
 
+      - name: Check token permissions for user2
+        if: github.actor == 'user2'
+        run: |
+          if [ -z "${{ secrets.GHP_user2 }}" ]; then
+            echo "No valid PAT found for user2"
+            exit 1
+          else
+            echo "Found valid PAT for user2"
+          fi
+
       - name: Checkout repo
         uses: actions/checkout@v3
         with:
@@ -46,8 +52,16 @@
         run: |
           ansible-galaxy collection install git+https://github.com/opentelekomcloud/ansible-collection-gitcontrol.git
 
-      - name: Test the management of github repositories with Ansible
+      - name: Test the management of github repositories with Ansible (user1)
+        if: github.actor == 'user1'
         run: |
           pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff
         env:
-          API_TOKEN: ${{ secrets[format('GHP_{0}', github.actor)] }}
+          API_TOKEN: ${{ secrets.GHP_user1 }}
+
+      - name: Test the management of github repositories with Ansible (user2)
+        if: github.actor == 'user2'
+        run: |
+          pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff
+        env:
+          API_TOKEN: ${{ secrets.GHP_user2 }}
EOF
@@ -16,15 +16,26 @@
manage-github-repositories:
runs-on: ubuntu-latest
steps:
- name: Check token permissions
- name: Check token permissions for user1
if: github.actor == 'user1'
run: |
if [ -z "${{ secrets[format('GHP_{0}', github.actor)] }}" ]; then
echo "No valid PAT found for ${{github.actor}}"
if [ -z "${{ secrets.GHP_user1 }}" ]; then
echo "No valid PAT found for user1"
exit 1
else
echo "Found valid PAT for ${{github.actor}}"
echo "Found valid PAT for user1"
fi

- name: Check token permissions for user2
if: github.actor == 'user2'
run: |
if [ -z "${{ secrets.GHP_user2 }}" ]; then
echo "No valid PAT found for user2"
exit 1
else
echo "Found valid PAT for user2"
fi

- name: Checkout repo
uses: actions/checkout@v3
with:
@@ -46,8 +52,16 @@
run: |
ansible-galaxy collection install git+https://github.com/opentelekomcloud/ansible-collection-gitcontrol.git

- name: Test the management of github repositories with Ansible
- name: Test the management of github repositories with Ansible (user1)
if: github.actor == 'user1'
run: |
pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff
env:
API_TOKEN: ${{ secrets[format('GHP_{0}', github.actor)] }}
API_TOKEN: ${{ secrets.GHP_user1 }}

- name: Test the management of github repositories with Ansible (user2)
if: github.actor == 'user2'
run: |
pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff
env:
API_TOKEN: ${{ secrets.GHP_user2 }}
Copilot is powered by AI and may make mistakes. Always verify output.
garloff and others added 2 commits December 1, 2025 10:31
@garloff @github-advanced-security
Potential fix for code scanning alert no. 12: Workflow does not conta…
b834f8b 
…in permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Kurt Garloff <kurt@garloff.de>
@scoopex
Merge branch 'main' into dryrun_check
7974cbf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@garloff garloff garloff approved these changes

@gtema gtema Awaiting requested review from gtema

Assignees

@scoopex scoopex

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@scoopex @garloff