openyurt security self-assessment #2032
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Rerun Failed Workflows | |
on: | |
issue_comment: | |
types: [created] | |
jobs: | |
rerun_failed_workflows: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Check for Command and Access Level | |
id: check | |
uses: actions/[email protected] | |
with: | |
github-token: ${{secrets.GITHUB_TOKEN}} | |
script: | | |
const issue = context.issue; | |
const username = context.payload.comment.user.login; | |
const regex = /\/rerun/g; | |
const comment = await github.rest.issues.getComment({ | |
owner: issue.owner, | |
repo: issue.repo, | |
comment_id: context.payload.comment.id, | |
}); | |
if (regex.test(comment.data.body)) { | |
const permissionLevel = await github.rest.repos.getCollaboratorPermissionLevel({ | |
owner: issue.owner, | |
repo: issue.repo, | |
username: username, | |
}); | |
if (['admin', 'write', 'read'].includes(permissionLevel.data.permission)) { | |
console.log(`User ${username} with permission ${permissionLevel.data.permission} has access to rerun failed workflows`); | |
return true; | |
} else { | |
console.log(`User ${username} with permission ${permissionLevel.data.permission} does not have access to rerun failed workflows`); | |
return false; | |
} | |
} else { | |
return false; | |
} | |
result-encoding: string | |
- name: Fetch and rerun failed workflows | |
if: steps.check.outputs.result == 'true' | |
uses: actions/[email protected] | |
with: | |
github-token: ${{secrets.GITHUB_TOKEN}} | |
script: | | |
const issue = context.issue; | |
const pull = await github.rest.pulls.get({ | |
owner: issue.owner, | |
repo: issue.repo, | |
pull_number: issue.number, | |
}); | |
const workflows = await github.rest.actions.listWorkflowRunsForRepo({ | |
owner: issue.owner, | |
repo: issue.repo, | |
branch: pull.data.head.ref, | |
status: 'failure', | |
}); | |
for (const run of workflows.data.workflow_runs) { | |
const result = await github.rest.actions.reRunWorkflowFailedJobs({ | |
owner: issue.owner, | |
repo: issue.repo, | |
run_id: run.id, | |
}); | |
console.log(`reRunWorkflowFailedJobs workflow ${JSON.stringify(run)} with response ${JSON.stringify(result)}`); | |
} |