Add workflows permission scope to WorkflowParser
Add 'workflows' as a recognized permission scope for GITHUB_TOKEN, gated behind AllowWorkflowsPermission feature flag. Changes: - Permissions.cs: Add Workflows property, copy constructor, comparison key mapping. Excluded from write-all/read-all bulk constructors. - WorkflowTemplateConverter.cs: Parse 'workflows' permission with feature flag guard. Read downgrades to NoAccess (write-only scope). - WorkflowFeatures.cs: Add AllowWorkflowsPermission flag, default false.
This commit is contained in:
@@ -1957,6 +1957,24 @@ namespace GitHub.Actions.WorkflowParser.Conversion
|
||||
context.Error(key, $"The permission 'models' is not allowed");
|
||||
}
|
||||
break;
|
||||
case "workflows":
|
||||
if (context.GetFeatures().AllowWorkflowsPermission)
|
||||
{
|
||||
// Workflows only supports write; downgrade read to none
|
||||
if (permissionLevel == PermissionLevel.Read)
|
||||
{
|
||||
permissions.Workflows = PermissionLevel.NoAccess;
|
||||
}
|
||||
else
|
||||
{
|
||||
permissions.Workflows = permissionLevel;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
context.Error(key, $"The permission 'workflows' is not allowed");
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
using System;
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Runtime.Serialization;
|
||||
using GitHub.Actions.WorkflowParser.Conversion;
|
||||
@@ -17,7 +17,7 @@ namespace GitHub.Actions.WorkflowParser
|
||||
public Permissions(Permissions copy)
|
||||
{
|
||||
Actions = copy.Actions;
|
||||
ArtifactMetadata = copy.ArtifactMetadata;
|
||||
ArtifactMetadata = copy.ArtifactMetadata;
|
||||
Attestations = copy.Attestations;
|
||||
Checks = copy.Checks;
|
||||
Contents = copy.Contents;
|
||||
@@ -32,6 +32,7 @@ namespace GitHub.Actions.WorkflowParser
|
||||
SecurityEvents = copy.SecurityEvents;
|
||||
IdToken = copy.IdToken;
|
||||
Models = copy.Models;
|
||||
Workflows = copy.Workflows;
|
||||
}
|
||||
|
||||
public Permissions(
|
||||
@@ -41,7 +42,7 @@ namespace GitHub.Actions.WorkflowParser
|
||||
bool includeModels)
|
||||
{
|
||||
Actions = permissionLevel;
|
||||
ArtifactMetadata = permissionLevel;
|
||||
ArtifactMetadata = permissionLevel;
|
||||
Attestations = includeAttestations ? permissionLevel : PermissionLevel.NoAccess;
|
||||
Checks = permissionLevel;
|
||||
Contents = permissionLevel;
|
||||
@@ -56,9 +57,11 @@ namespace GitHub.Actions.WorkflowParser
|
||||
SecurityEvents = permissionLevel;
|
||||
IdToken = includeIdToken ? permissionLevel : PermissionLevel.NoAccess;
|
||||
// Models must not have higher permissions than Read
|
||||
Models = includeModels
|
||||
? (permissionLevel == PermissionLevel.Write ? PermissionLevel.Read : permissionLevel)
|
||||
Models = includeModels
|
||||
? (permissionLevel == PermissionLevel.Write ? PermissionLevel.Read : permissionLevel)
|
||||
: PermissionLevel.NoAccess;
|
||||
// Workflows is excluded from write-all / read-all; must be explicitly requested
|
||||
Workflows = PermissionLevel.NoAccess;
|
||||
}
|
||||
|
||||
private static KeyValuePair<string, (PermissionLevel, PermissionLevel)>[] ComparisonKeyMapping(Permissions left, Permissions right)
|
||||
@@ -81,6 +84,7 @@ namespace GitHub.Actions.WorkflowParser
|
||||
new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("security-events", (left.SecurityEvents, right.SecurityEvents)),
|
||||
new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("id-token", (left.IdToken, right.IdToken)),
|
||||
new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("models", (left.Models, right.Models)),
|
||||
new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("workflows", (left.Workflows, right.Workflows)),
|
||||
};
|
||||
}
|
||||
|
||||
@@ -196,6 +200,13 @@ namespace GitHub.Actions.WorkflowParser
|
||||
set;
|
||||
}
|
||||
|
||||
[DataMember(Name = "workflows", EmitDefaultValue = false)]
|
||||
public PermissionLevel Workflows
|
||||
{
|
||||
get;
|
||||
set;
|
||||
}
|
||||
|
||||
public Permissions Clone()
|
||||
{
|
||||
return new Permissions(this);
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
using System;
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Linq;
|
||||
using System.Reflection;
|
||||
@@ -41,6 +41,13 @@ namespace GitHub.Actions.WorkflowParser
|
||||
[DataMember(EmitDefaultValue = false)]
|
||||
public bool AllowModelsPermission { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Gets or sets a value indicating whether users may use the "workflows" permission.
|
||||
/// Used during parsing only.
|
||||
/// </summary>
|
||||
[DataMember(EmitDefaultValue = false)]
|
||||
public bool AllowWorkflowsPermission { get; set; }
|
||||
|
||||
/// <summary>
|
||||
/// Gets or sets a value indicating whether the expression function fromJson performs strict JSON parsing.
|
||||
/// Used during evaluation only.
|
||||
@@ -67,6 +74,7 @@ namespace GitHub.Actions.WorkflowParser
|
||||
Snapshot = false, // Default to false since this feature is still in an experimental phase
|
||||
StrictJsonParsing = false, // Default to false since this is temporary for telemetry purposes only
|
||||
AllowModelsPermission = false, // Default to false since we want this to be disabled for all non-production environments
|
||||
AllowWorkflowsPermission = false, // Default to false; gated by feature flag for controlled rollout
|
||||
AllowServiceContainerCommand = false, // Default to false since this feature is gated by actions_service_container_command
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user