Skip to content

Commit

Permalink
git action added to bypass PRs
Browse files Browse the repository at this point in the history
  • Loading branch information
0xDEnYO committed Dec 11, 2024
1 parent 5ce2653 commit 1778872
Showing 1 changed file with 82 additions and 0 deletions.
82 changes: 82 additions & 0 deletions .github/workflows/forceMergePRBypassAudit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
name: Force-Merge PR (Bypass Audit Requirement)
# - This git action may only be used in exceptional cases
# - it can only be executed by the CTO or the Information Security Manager/Architect
# - a valid reason must be provided in order to force-merge a given PR

on:
workflow_dispatch:
inputs:
pr_number:
description: 'PR number to bypass'
required: true
justification:
description: 'Reason for bypass'
required: true

jobs:
force-merge-pr-bypass-audit:
runs-on: ubuntu-latest
steps:
- name: Fetch Information Security Team Members
env:
GH_PAT: ${{ secrets.GIT_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
##### Unset default GITHUB_TOKEN (insufficient permissions)
unset GITHUB_TOKEN
##### Authenticate with Personal Access Token
echo $GH_PAT | gh auth login --with-token
##### Fetch team members of 'informationsecuritymanager' team
ORG_NAME="lifinance"
TEAM_SLUG="informationsecuritymanager"
TEAM_MEMBERS=$(gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"/orgs/$ORG_NAME/teams/$TEAM_SLUG/members" | jq -r '.[].login')
if [[ -z "$TEAM_MEMBERS" ]]; then
echo -e "\033[31mERROR: Could not retrieve team members of $TEAM_SLUG.\033[0m"
exit 1
fi
echo "The following users are members of $TEAM_SLUG: $TEAM_MEMBERS"
echo "$TEAM_MEMBERS" > team_members.txt
- name: Verify Actor's Team Membership
run: |
##### Check if the actor is in the team members list
ACTOR="${{ github.actor }}"
TEAM_MEMBERS=$(cat team_members.txt)
if echo "$TEAM_MEMBERS" | grep -q "^$ACTOR$"; then
echo -e "\033[32m$ACTOR is authorized to approve bypasses.\033[0m"
echo "CONTINUE=true" >> "$GITHUB_ENV"
else
echo -e "\033[31mERROR: $ACTOR is NOT authorized to approve bypasses\033[0m"
exit 1
fi
- name: Log Justification
if: env.CONTINUE == 'true'
run: |
echo "Bypass approved for PR #${{ github.event.inputs.pr_number }} by $ACTOR."
echo "Justification: ${{ github.event.inputs.justification }}"
- name: Merge the PR
uses: actions/[email protected]
if: env.CONTINUE == 'true'
with:
script: |
const pr = parseInt(core.getInput('pr_number'));
console.log(`Merging PR ${pr} now`)
const { context } = github;
await github.rest.pulls.merge({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: pr,
merge_method: "squash"
});

0 comments on commit 1778872

Please sign in to comment.