-
Notifications
You must be signed in to change notification settings - Fork 163
/
rule_permissions.go
79 lines (71 loc) · 2.34 KB
/
rule_permissions.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
package actionlint
var allPermissionScopes = map[string]struct{}{
"actions": {},
"attestations": {},
"checks": {},
"contents": {},
"deployments": {},
"id-token": {},
"issues": {},
"discussions": {},
"packages": {},
"pages": {},
"pull-requests": {},
"repository-projects": {},
"security-events": {},
"statuses": {},
}
// RulePermissions is a rule checker to check permission configurations in a workflow.
// https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
type RulePermissions struct {
RuleBase
}
// NewRulePermissions creates new RulePermissions instance.
func NewRulePermissions() *RulePermissions {
return &RulePermissions{
RuleBase: RuleBase{
name: "permissions",
desc: "Checks for permissions configuration in \"permissions:\". Permission names and permission scopes are checked",
},
}
}
// VisitJobPre is callback when visiting Job node before visiting its children.
func (rule *RulePermissions) VisitJobPre(n *Job) error {
rule.checkPermissions(n.Permissions)
return nil
}
// VisitWorkflowPre is callback when visiting Workflow node before visiting its children.
func (rule *RulePermissions) VisitWorkflowPre(n *Workflow) error {
rule.checkPermissions(n.Permissions)
return nil
}
func (rule *RulePermissions) checkPermissions(p *Permissions) {
if p == nil {
return
}
if p.All != nil {
switch p.All.Value {
case "write-all", "read-all":
// OK
default:
rule.Errorf(p.All.Pos, "%q is invalid for permission for all the scopes. available values are \"read-all\" and \"write-all\"", p.All.Value)
}
return
}
for _, p := range p.Scopes {
n := p.Name.Value // Permission names are case-sensitive
if _, ok := allPermissionScopes[n]; !ok {
ss := make([]string, 0, len(allPermissionScopes))
for s := range allPermissionScopes {
ss = append(ss, s)
}
rule.Errorf(p.Name.Pos, "unknown permission scope %q. all available permission scopes are %s", n, sortedQuotes(ss))
}
switch p.Value.Value {
case "read", "write", "none":
// OK
default:
rule.Errorf(p.Value.Pos, "%q is invalid for permission of scope %q. available values are \"read\", \"write\" or \"none\"", p.Value.Value, n)
}
}
}