Skip to content

Protect Audit Labels #1540

Protect Audit Labels

Protect Audit Labels #1540

# Protect Audit Labels
# - Makes sure that the following labels can only be assigned by a GitHub Action: "AuditCompleted", "AuditRequired", and "AuditNotRequired"
# - Will undo any unauthorized change of these labels
# - Will fail if it runs into an error, otherwise pass
# - Will skip checks if the PR was just approved or set from draft to "ready for review" state
name: Protect Audit Labels
on:
pull_request:
types: [labeled, unlabeled, synchronize, review_requested, ready_for_review]
pull_request_review:
types: [submitted]
jobs:
protect_audit_labels:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Check if event requires audit label protection
id: check_event
run: |
# Define the events that we care about (labeled/unlabeled)
EVENT_TYPES=("labeled" "unlabeled")
EVENT_ACTION="${{ github.event.action }}"
# Check if the action is one of the events we care about
if [[ " ${EVENT_TYPES[*]} " =~ " $EVENT_ACTION " ]]; then
echo "Human-triggered label event detected, proceeding with checks."
echo "CONTINUE=true" >> $GITHUB_ENV
else
echo -e "\033[32mAction was triggered by a non-label event, thus skipping checks (not required).\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
fi
- name: Check for authorized actor
if: env.CONTINUE == 'true'
run: |
##### Only allow the specific bot to manipulate audit labels
if [[ "${{ github.actor }}" == "lifi-action-bot" ]]; then
echo -e "\033[32mAction triggered by lifi-action-bot. No further checks required.\033[0m"
echo "CONTINUE=false" >> $GITHUB_ENV
exit 0
fi
echo "CONTINUE=true" >> $GITHUB_ENV
echo "This action was triggered by: ${{ github.actor }}"
- name: Protect Audit Labels
if: env.CONTINUE == 'true'
env:
GITHUB_TOKEN: ${{ secrets.GIT_ACTIONS_BOT_PAT_CLASSIC }}
run: |
##### Define the labels to protect
PROTECTED_LABELS=("AuditCompleted" "AuditRequired" "AuditNotRequired")
TARGET_LABEL="${{ github.event.label.name }}"
EVENT_ACTION="${{ github.event.action }}"
PR_NUMBER="${{ github.event.pull_request.number }}"
##### Fetch the current labels before action (to restore if needed)
CURRENT_LABELS=$(gh pr view $PR_NUMBER --json labels --jq '.labels[].name' | tr '\n' ' ')
echo "Current labels before processing: $CURRENT_LABELS"
echo "Event type: $EVENT_ACTION, Target label: $TARGET_LABEL"
##### Check if the event involves a protected label
if [[ " ${PROTECTED_LABELS[*]} " =~ " $TARGET_LABEL " ]]; then
echo -e "\033[31mUnauthorized modification of a protected label by ${{ github.actor }}. Reverting changes...\033[0m"
##### Revert to the previous state of labels
if [[ "$EVENT_ACTION" == "unlabeled" ]]; then
gh pr edit $PR_NUMBER --add-label "$TARGET_LABEL"
elif [[ "$EVENT_ACTION" == "labeled" ]]; then
gh pr edit $PR_NUMBER --remove-label "$TARGET_LABEL"
fi
##### Validate if the revert was successful
NEW_LABELS=$(gh pr view $PR_NUMBER --json labels --jq '.labels[].name' | tr '\n' ' ')
echo "Labels after attempted revert: $NEW_LABELS"
##### Check if revert was successful
if [[ "$EVENT_ACTION" == "unlabeled" && ! " $NEW_LABELS " =~ " $TARGET_LABEL " ]]; then
echo -e "\033[31mFailed to restore the '$TARGET_LABEL' label.\033[0m"
exit 1
elif [[ "$EVENT_ACTION" == "labeled" && " $NEW_LABELS " =~ " $TARGET_LABEL " ]]; then
echo -e "\033[31mFailed to remove the unauthorized '$TARGET_LABEL' label.\033[0m"
exit 1
fi
echo -e "\033[32mUnauthorized label modification was successfully prevented and undone.\033[0m"
else
echo -e "\033[32mNo protected labels were modified.\033[0m"
fi