feat: add access checker

canonical · Aug 7, 2024 · ff6000d · ff6000d
1 parent 6db8be4
commit ff6000d
Show file tree

Hide file tree

Showing 7 changed files with 97 additions and 2 deletions.
diff --git a/.github/workflows/Documentation.yaml b/.github/workflows/Documentation.yaml
@@ -5,6 +5,8 @@ on:
   push:
     paths:
       - "oci/*/documentation.y*ml"
+    branches:
+      - main
   workflow_dispatch:
     inputs:
       oci-image-name:
@@ -23,9 +25,18 @@ on:
         type: string
 
 jobs:
+  access-check:
+    uses: ./.github/workflows/_Validate-access.yaml
+    if: ${{ github.event_name == 'workflow_dispatch' }}
+    with:
+      admin-only: true
+      image-path: "oci/${{ github.event.inputs.oci-image-name }}"
+
+
   validate-documentation-request:
     runs-on: ubuntu-22.04
     name: Validate documentation request
+    needs: [access-check]
     outputs:
       oci-img-path: ${{ steps.validate-image.outputs.img-path }}
       oci-img-name: ${{ steps.validate-image.outputs.img-name }}

diff --git a/.github/workflows/Image.yaml b/.github/workflows/Image.yaml
@@ -113,10 +113,18 @@ jobs:
 
           ./src/image/prepare_single_image_build_matrix.py \
             --oci-path ${{ steps.validate-image.outputs.img-path }} \
-            --revision-data-dir ${{ env.DATA_DIR }} \
+            --revision-data-dir ${{ env.DATA_DIR }}
 
-  run-build:
+  access-check:
     needs: [prepare-build]
+    uses: ./.github/workflows/_Validate-access.yaml
+    secrets: inherit
+    with:
+      admin-only: true
+      image-path: ${{ needs.prepare-build.outputs.oci-img-path }}
+
+  run-build:
+    needs: [access-check]
     strategy:
       fail-fast: true
       matrix: ${{ fromJSON(needs.prepare-build.outputs.build-matrix) }}

diff --git a/.github/workflows/Release.yaml b/.github/workflows/Release.yaml
@@ -28,9 +28,16 @@ on:
         type: string
 
 jobs:
+  access-check:
+    uses: ./.github/workflows/_Validate-access.yaml
+    with:
+      admin-only: true
+      image-path: "oci/${{ github.event.inputs.oci-image-name }}"
+
   validate-push-release-request:
     runs-on: ubuntu-22.04
     name: Validate push release request
+    needs: [access-check]
     outputs:
       oci-image-name: ${{ steps.get-image-name.outputs.img-name }}
     steps:

diff --git a/.github/workflows/Tests.yaml b/.github/workflows/Tests.yaml
@@ -66,9 +66,16 @@ env:
   DIVE_IMAGE: 'wagoodman/dive:v0.12'
 
 jobs:
+  access-check:
+    uses: ./.github/workflows/_Validate-access.yaml
+    with:
+      admin-only: true
+      image-path: "${{ github.event.inputs.oci-image-path }}"
+
   fetch-oci-image:
     runs-on: ubuntu-22.04
     name: Fetch OCI image for testing
+    needs: [access-check]
     outputs:
       test-cache-key: ${{ steps.cache.outputs.key }}
     steps:

diff --git a/.github/workflows/_Test-OCI-Factory.yaml b/.github/workflows/_Test-OCI-Factory.yaml
@@ -16,8 +16,15 @@ on:
       - "!src/cli-client/**"
 
 jobs:
+  access-check:
+    uses: ./.github/workflows/_Validate-access.yaml
+    with:
+      admin-only: true
+      image-path: "oci/mock-rock"
+
   test-workflows:
     name: Trigger internal tests for mock-rock
+    needs: [access-check]
     uses: ./.github/workflows/Image.yaml
     with:
       oci-image-name: "mock-rock"

diff --git a/.github/workflows/_Validate-access.yaml b/.github/workflows/_Validate-access.yaml
@@ -0,0 +1,54 @@
+name: Validate user access
+
+# This callable workflow checks if the workflow is triggered by
+# a code owner or an image maintainer by testing the github.actor
+# variable against the CODEOWNERS file and the contacts.yaml file
+# under oci/* path
+
+on:
+  workflow_call:
+    inputs:
+      admin-only:
+        description: 'The protected workflow should only be triggered as a code owner or an image maintainer'
+        required: true
+        default: false
+        type: boolean
+      image-path:
+        description: 'The path to the image to be built'
+        required: true
+        type: string
+
+jobs:
+  validate-access:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check if the workflow is triggered by an admin user
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "github.actor: ${{ github.actor }}"
+          echo "admin-only: ${{ inputs.admin-only }}"
+          if [[ ${{ inputs.admin-only }} == true ]]; then
+            echo "Expanding team mentions in the CODEOWNERS file"
+            teams=$(grep -oE '@[[:alnum:]_.-]+\/[[:alnum:]_.-]+' ${{ github.workspace }}/CODEOWNERS | sort | uniq)
+
+            for team in $teams; do
+              org=$(echo $team | cut -d'/' -f1 | sed 's/@//')
+              team_name=$(echo $team | cut -d'/' -f2)
+              members=$(gh api "/orgs/$org/teams/$team_name/members" | jq -r '.[].login')
+              replacement=$(echo "$members" | xargs -I {} echo -n "@{} " | awk '{$1=$1};1')
+              sed -i "s|$team|$replacement|g" ${{ github.workspace }}/CODEOWNERS
+            done
+
+            if grep -wq "@${{ github.actor }}" ${{ github.workspace }}/CODEOWNERS; then
+              echo "The workflow is triggered by ${{ github.actor }} as the code owner"
+            elif cat ${{ github.workspace }}/${{ inputs.image-path }}/contacts.yaml | yq ".maintainers" | grep "\- " | grep -wq "${{ github.actor }}"; then
+              echo "The workflow is triggered by ${{ github.actor }} as a maintainer of the image ${{ inputs.image-path }}"
+            else
+              echo "The workflow is triggered by a user neither as a code owner nor a maintainer of the image ${{ inputs.image-path }}"
+              exit 1
+            fi
+          else
+            echo "The workflow is not restricted to non-code-owner or non-maintainer users"
+          fi
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1 @@
+*       @canonical/rocks