Reputation: 1
Github Action to restrict merge to Admins only
I'm trying to restrict the ability to merge PR to Admins only by using GitHub action. Below is my mergepr.yml
`name: Restrict merges to admins
on: pull_request: branches: - dev - master
jobs: restrict-merges: runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Install GitHub CLI
run: |
# Download the GitHub CLI binary for Linux (replace URL with the correct one)
curl -fsSL https://github.com/cli/cli/releases/download/v2.35.0/gh_2.35.0_linux_amd64.tar.gz -o gh.tar.gz
tar -xzf gh.tar.gz
sudo mv gh_* /usr/local/bin/gh
gh --version
- name: Set up GitHub CLI
run: |
echo "Setting up GitHub CLI"
gh config set -h github.com ${GITHUB_TOKEN}
- name: Check if the user is an admin
run: |
PR_NUMBER="${{ github.event.pull_request.number }}"
USER_ROLE=$(gh api users/me/role --jq '.role')
if [[ $USER_ROLE != '"admin"' ]]; then
echo "Only admins can merge pull requests into the main branch."
exit 1
fi
- name: Merge the pull request
run: |
PR_NUMBER="${{ github.event.pull_request.number }}"
gh pr merge $PR_NUMBER --auto
`
It was expected for this GitHub action to pass when user is admin, but it fails irrespective of user role. Below is the error log:
Run echo "Setting up GitHub CLI" echo "Setting up GitHub CLI" gh config set -h github.com ${GITHUB_TOKEN} shell: /usr/bin/bash -e {0} Setting up GitHub CLI accepts 2 arg(s), received 0 Error: Process completed with exit code 1.
Upvotes: 0
Views: 129
Answers (1)
Reputation: 114491
You can't pass ${GITHUB_TOKEN} that way. Either use ${{secrets.GITHUB_TOKEN}} or pass it as an environment variable (safer).
On top of that, gh config set -h {host} expects 2 parameters: key and value, you are supplying the {host} and the value, but not the key.
- name: Set up GitHub CLI
run: |
echo "Setting up GitHub CLI"
gh config set -h github.com <SOMEKEY> $GITHUB_TOKEN
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
or
# ⚠️ Warning inlining variables and secrets may open you up to
# script intecjtion attacks.
- name: Set up GitHub CLI
run: |
echo "Setting up GitHub CLI"
gh config set -h github.com <SOMEKEY> ${{ secrets.GITHUB_TOKEN }}
But you shouldn't have to set the token in the config. gh will automatically pick up the token when you set it in the environment. Just add the following to the tasks below that need the token to authenticate.
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Be sure to read up on GitHub Actions hardening - script injection attacks.
Upvotes: 0
Related Questions
- Download a single folder or directory from a GitHub repository
- How to add images to README.md on GitHub?
- How do I update or sync a forked repository on GitHub?
- I ran into a merge conflict. How do I abort the merge?
- How do I stash only one file out of multiple files that have changed?
- Git refusing to merge unrelated histories on rebase
- Create a tag in a GitHub repository
- How do I resolve merge conflicts in a Git repository?
- Commit only part of a file's changes in Git
- Undo a Git merge that hasn't been pushed yet