Skip to content
/ protected-files Public

When you need to protect specific files in the repo from being modified by organization users at all costs.

License

Unlicense license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cvega/protected-files

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
docs/imgs
docs/imgs
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
app.py
app.py
 
 
config.yml
config.yml
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

Protected Files / PR Bot

This bot is useful for when you need to protect specific files across many repos from being modified by organization users. This is mostly useful for preventing the modification of actions/workflows as part of a pull request. This bot is typically deployed by GitHub enterprise and organizations administrators that want to include specific workflows across their organization while ensuring end users aren't modifying or deleting them.

Please note, This bot needs to be used in conjunction with branch protections, and will supersede CODEOWNERS settings within the repo. If your default branch does not require a pull request, this bot will not be helpful.

You may also want to considering using the safer pull_request_target trigger versus the pull_request trigger with actions workflows. This ensures that the default branch workflows are used and not the branch workflows which may or could be modified.

How it works

When a PR is created a webhook is sent to the bot. The bot creates a check_run for the PR and inspects the changes in the PR. If any of the files in the files list are modified by a user that is not listed as an owner, it will automatically fail the pr by updating the check_run with the status of failure.

The bot is Flask based and runs on port 5000 by default. A Dockerfile has been included for ease of use. Otherwise you'll need to provision the bot yourself.

In practice

Preventing the modification of files

Allowing modification of files when a user owns the file

Setup Requirements

You'll need a host to provision this application. A Dockerfile has been included for ease of use. Otherwise you'll need to provision the bot yourself.

  • Organization webhook
    • URL (where this bot runs)
    • Let me select individual events.
      • Pull requests

  • Branch Protections Enabled
    • Require a pull request before merging
    • Require status checks to pass before merging
      • Require branches to be up to date before merging
    • Include administrators

If you're looking for an actions based bot that will ensure a branch protection policy is deployed to your organization please see my Protected Branch Policy project


  • GitHub App
    • Create a GitHub App
      • scopes
        • check_run
          • read/write
      • generate pem file
      • install app to organization
      • note the app_id and installation_id

Configuration

setting usage
pem path to pem file
url GitHub URL (.com or GHES)
app_id GitHub App app_id
installation_id GitHub App installation_id
owner list of users that have access to modify the protected files
files list of protected files

config.yml example (required)

pem: /path/to/secure.pem
url: https://api.github.com
app_id: 000001
installation_id: 00000001
owners:
  - cvega
  - octocat
files:
  - .github/workflows/dependency-scanner.yml
  - .github/workflows/code-scanner.yml

About

When you need to protect specific files in the repo from being modified by organization users at all costs.

Resources

Readme

License

Unlicense license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 1

v0.0.1 Latest
Jul 19, 2022

Packages

No packages published

Languages