simplechat/.github/workflows/broken-access-control-check.yml at main · microsoft/simplechat · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: Broken Access Control Check

on:
  pull_request:
    branches:
      - Development
    paths:
      - 'application/**/*.py'
      - 'scripts/check_broken_access_control.py'
      - 'functional_tests/test_broken_access_control_guardrails_checker.py'
      - '.github/workflows/broken-access-control-check.yml'
      - '.github/instructions/broken-access-control-prevention.instructions.md'

jobs:
  broken-access-control-check:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Get changed Python files
        id: changed-files
        uses: tj-actions/changed-files@v46.0.1
        with:
          files_yaml: |
            bac_surface:
              - 'application/**/*.py'
            bac_guardrails:
              - 'scripts/check_broken_access_control.py'
              - 'functional_tests/test_broken_access_control_guardrails_checker.py'
              - '.github/workflows/broken-access-control-check.yml'
              - '.github/instructions/broken-access-control-prevention.instructions.md'
              - 'docs/explanation/features/v0.241.022/BROKEN_ACCESS_CONTROL_PR_GUARDRAILS.md'

      - name: Run Broken Access Control validation
        env:
          CHANGED_BAC_FILES: ${{ steps.changed-files.outputs.bac_surface_all_changed_files }}
          GITHUB_BASE_SHA: ${{ github.event.pull_request.base.sha }}
          GITHUB_HEAD_SHA: ${{ github.sha }}
        run: |
          if [[ -z "$CHANGED_BAC_FILES" ]]; then
            echo "No changed application files detected for Broken Access Control validation."
            exit 0
          fi

          echo "Changed application files:"
          printf '%s\n' "$CHANGED_BAC_FILES" | tr ' ' '\n'

          python scripts/check_broken_access_control.py \
            --base-sha "$GITHUB_BASE_SHA" \
            --head-sha "$GITHUB_HEAD_SHA" \
            $CHANGED_BAC_FILES

      - name: Run Broken Access Control guardrail self-test (advisory)
        if: steps.changed-files.outputs.bac_guardrails_any_changed == 'true'
        continue-on-error: true
        run: |
          python functional_tests/test_broken_access_control_guardrails_checker.py