-
Notifications
You must be signed in to change notification settings - Fork 3
159 lines (151 loc) · 6.29 KB
/
permissions.yml
File metadata and controls
159 lines (151 loc) · 6.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: Check collaborator permissions (demo)
on:
workflow_dispatch:
# Global default: read-only to keep things tight.
permissions:
contents: read
env:
USERS: "nojaf dsyme pelikhan"
API_URL: "https://api.github.com"
API_VERSION: "2022-11-28"
jobs:
# 1) All scopes read-only (or effectively read-only for contents)
read_all:
name: With read-only token (expect 403)
runs-on: ubuntu-latest
permissions:
# You can also use `read-all`, but showing explicit `contents: read` here.
contents: read
steps:
- name: Check three users via REST
shell: bash
run: |
set +e # we want to keep going even on 403
IFS=' ' read -r -a users <<< "${USERS}"
for u in "${users[@]}"; do
echo "::group::GET /repos/${{ github.repository }}/collaborators/$u/permission"
code=$(curl -sS -o resp.json -w "%{http_code}" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: ${API_VERSION}" \
"${API_URL}/repos/${{ github.repository }}/collaborators/$u/permission")
echo "HTTP $code"
if [ "$code" -ge 200 ] && [ "$code" -lt 300 ]; then
jq -r '{user:.user.login, permission, role_name} | @text "user=@\(.user) permission=\(.permission) role=\(.role_name)"' resp.json
else
cat resp.json
fi
echo "::endgroup::"
done
# 2) contents:read plus pull-requests:read — still read-only (expect 403)
read_combo:
name: Read-only combo (expect 403)
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: read
steps:
- name: Check three users via REST
shell: bash
run: |
set +e
IFS=' ' read -r -a users <<< "${USERS}"
for u in "${users[@]}"; do
echo "::group::GET /repos/${{ github.repository }}/collaborators/$u/permission"
code=$(curl -sS -o resp.json -w "%{http_code}" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: ${API_VERSION}" \
"${API_URL}/repos/${{ github.repository }}/collaborators/$u/permission")
echo "HTTP $code"
if [ "$code" -ge 200 ] && [ "$code" -lt 300 ]; then
jq -r '{user:.user.login, permission, role_name} | @text "user=@\(.user) permission=\(.permission) role=\(.role_name)"' resp.json
else
cat resp.json
fi
echo "::endgroup::"
done
# 3) contents:write — should succeed (has push-equivalent)
write_contents:
name: "With contents: write (should succeed)"
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Check three users via REST
shell: bash
run: |
set +e
IFS=' ' read -r -a users <<< "${USERS}"
for u in "${users[@]}"; do
echo "::group::GET /repos/${{ github.repository }}/collaborators/$u/permission"
code=$(curl -sS -D headers.txt -o resp.json -w "%{http_code}" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: ${API_VERSION}" \
"${API_URL}/repos/${{ github.repository }}/collaborators/$u/permission")
echo "HTTP $code"
if [ "$code" -ge 200 ] && [ "$code" -lt 300 ]; then
jq -r '{user:.user.login, permission, role_name} | @text "user=@\(.user) permission=\(.permission) role=\(.role_name)"' resp.json
# If present (fine-grained actors), show what permissions the API says are acceptable
echo "x-accepted-github-permissions:"
grep -i '^x-accepted-github-permissions:' headers.txt || true
else
cat resp.json
fi
echo "::endgroup::"
done
# 4) No contents permission at all — only unrelated scopes (expect 403)
no_contents:
name: No contents permission (expect 403)
runs-on: ubuntu-latest
permissions:
pull-requests: read
issues: read
steps:
- name: Check three users via REST
shell: bash
run: |
set +e
IFS=' ' read -r -a users <<< "${USERS}"
for u in "${users[@]}"; do
echo "::group::GET /repos/${{ github.repository }}/collaborators/$u/permission"
code=$(curl -sS -o resp.json -w "%{http_code}" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: ${API_VERSION}" \
"${API_URL}/repos/${{ github.repository }}/collaborators/$u/permission")
echo "HTTP $code"
if [ "$code" -ge 200 ] && [ "$code" -lt 300 ]; then
jq -r '{user:.user.login, permission, role_name} | @text "user=@\(.user) permission=\(.permission) role=\(.role_name)"' resp.json
else
cat resp.json
fi
echo "::endgroup::"
done
# 5) write-all — also succeeds; shows a broader token example
write_all:
name: With write-all (should succeed)
runs-on: ubuntu-latest
permissions: write-all
steps:
- name: Check three users via REST
shell: bash
run: |
set +e
IFS=' ' read -r -a users <<< "${USERS}"
for u in "${users[@]}"; do
echo "::group::GET /repos/${{ github.repository }}/collaborators/$u/permission"
code=$(curl -sS -o resp.json -w "%{http_code}" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: ${API_VERSION}" \
"${API_URL}/repos/${{ github.repository }}/collaborators/$u/permission")
echo "HTTP $code"
if [ "$code" -ge 200 ] && [ "$code" -lt 300 ]; then
jq -r '{user:.user.login, permission, role_name} | @text "user=@\(.user) permission=\(.permission) role=\(.role_name)"' resp.json
else
cat resp.json
fi
echo "::endgroup::"
done