Skip to content

add a dryrun check #300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
scoopex wants to merge 11 commits into
base: main
Choose a base branch
from
Open

add a dryrun check #300

Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
39a4f30
add a dryrun check
scoopex Oct 2, 2024
c9a6705
test
scoopex Oct 2, 2024
9e3883a
add push
scoopex Oct 2, 2024
68fef5e
add diff
scoopex Oct 2, 2024
7188de1
Rename
scoopex Oct 2, 2024
acd334b
Rename
scoopex Oct 2, 2024
214b0b9
Merge branch 'main' into dryrun_check
scoopex Oct 7, 2024
ec11245
Merge branch 'main' into dryrun_check
garloff Jan 17, 2025
7f9e197
Merge branch 'main' into dryrun_check
garloff Dec 1, 2025
b834f8b
Potential fix for code scanning alert no. 12: Workflow does not conta…
garloff Dec 1, 2025
7974cbf
Merge branch 'main' into dryrun_check
scoopex Dec 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
53 changes: 53 additions & 0 deletions .github/workflows/dryrun-manage-github-repositories.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
---
name: Test the management of github repositories
permissions:
contents: read

"on":
workflow_dispatch:
push:
branches-ignore:
- main
pull_request:
branches-ignore:
- main

jobs:
manage-github-repositories:
runs-on: ubuntu-latest
steps:
- name: Check token permissions
run: |
if [ -z "${{ secrets[format('GHP_{0}', github.actor)] }}" ]; then

Check warning

Code scanning / CodeQL

Excessive Secrets Exposure Medium

All organization and repository secrets are passed to the workflow runner in
secrets[format('GHP_{0}', github.actor)]
Loading

Copilot Autofix

AI 26 days ago

General fix:
Eliminate dynamic secret access and explicitly declare which secrets are used by the workflow. For per-user tokens, enumerate each possible user as a build matrix with a conditional per-user environment variable selection.

Detailed fix:

  • Remove the use of secrets[format('GHP_{0}', github.actor)].
  • Instead, create a matrix in the job that lists allowed users (actors) and assigns the exact secret name for each one.
  • Use a conditional for each possible actor to set the API_TOKEN env variable specifically to the corresponding secret, for example: 
    env:
  API_TOKEN: ${{ secrets.GHP_ACTOR1 }}
  • Remove any unnecessary checking for whether the secret is present—GitHub will fail with a useful error if a required secret is missing.
  • Update the api_token variable in the ansible invocation to use this new env declaration.

File/region to change:
.github/workflows/dryrun-manage-github-repositories.yml

  • Replace the dynamic secret access in the relevant env sections with explicit per-actor/secret mapping.
Suggested changeset 1
.github/workflows/dryrun-manage-github-repositories.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/dryrun-manage-github-repositories.yml b/.github/workflows/dryrun-manage-github-repositories.yml
--- a/.github/workflows/dryrun-manage-github-repositories.yml
+++ b/.github/workflows/dryrun-manage-github-repositories.yml
@@ -15,16 +15,16 @@
 jobs:
   manage-github-repositories:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - actor: user1
+            api_token: ${{ secrets.GHP_USER1 }}
+          - actor: user2
+            api_token: ${{ secrets.GHP_USER2 }}
+          # Add additional users as needed
+    if: github.actor == matrix.actor
     steps:
-      - name: Check token permissions
-        run: |
-          if [ -z "${{ secrets[format('GHP_{0}', github.actor)] }}" ]; then
-            echo "No valid PAT found for ${{github.actor}}"
-            exit 1
-          else
-            echo "Found valid PAT for ${{github.actor}}"
-          fi
-
       - name: Checkout repo
         uses: actions/checkout@v3
         with:
@@ -50,4 +49,4 @@
         run: |
           pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff
         env:
-          API_TOKEN: ${{ secrets[format('GHP_{0}', github.actor)] }}
+          API_TOKEN: ${{ matrix.api_token }}
EOF
@@ -15,16 +15,16 @@
jobs:
manage-github-repositories:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- actor: user1
api_token: ${{ secrets.GHP_USER1 }}
- actor: user2
api_token: ${{ secrets.GHP_USER2 }}
# Add additional users as needed
if: github.actor == matrix.actor
steps:
- name: Check token permissions
run: |
if [ -z "${{ secrets[format('GHP_{0}', github.actor)] }}" ]; then
echo "No valid PAT found for ${{github.actor}}"
exit 1
else
echo "Found valid PAT for ${{github.actor}}"
fi

- name: Checkout repo
uses: actions/checkout@v3
with:
@@ -50,4 +49,4 @@
run: |
pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff
env:
API_TOKEN: ${{ secrets[format('GHP_{0}', github.actor)] }}
API_TOKEN: ${{ matrix.api_token }}
Copilot is powered by AI and may make mistakes. Always verify output.
echo "No valid PAT found for ${{github.actor}}"
exit 1
else
echo "Found valid PAT for ${{github.actor}}"
fi

- name: Checkout repo
uses: actions/checkout@v3
with:
submodules: true

- name: Setup python
uses: actions/setup-python@v4
with:
python-version: '3.10'
cache: 'pipenv'

- name: Install dependencies
run: |
python3 -m pip install --upgrade pip
python3 -m pip install pipenv wheel
pipenv install

- name: Install ansible collection
run: |
ansible-galaxy collection install git+https://github.com/opentelekomcloud/ansible-collection-gitcontrol.git

- name: Test the management of github repositories with Ansible
run: |
pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff
env:
API_TOKEN: ${{ secrets[format('GHP_{0}', github.actor)] }}

Check warning

Code scanning / CodeQL

Excessive Secrets Exposure Medium

All organization and repository secrets are passed to the workflow runner in
secrets[format('GHP_{0}', github.actor)]
Loading

Copilot Autofix

AI 26 days ago

To fix the problem, we must avoid dynamically accessing secrets at runtime. Instead, explicitly define input variables or secrets for each possible value of ${{ github.actor }}. This ensures that only the secrets that are needed are passed to the workflow runner.

The best approach is to create a job matrix for each supported actor, and, for each one, pass the correct secret explicitly in the job's env section. For demonstration, if you have a limited set of possible actors (e.g., user1 and user2), you can write two jobs that are conditionally run only for the respective actor by using the if field, and reference the relevant secret explicitly with secrets.GHP_user1 and secrets.GHP_user2.

In practice:

  • For each actor who should have a specific PAT, add a job or a step guarded by if: github.actor == 'actorname'.
  • Set API_TOKEN: ${{ secrets.GHP_actorname }}.

If there are many actors, you will need to enumerate each one explicitly. If that is not feasible, you should reconsider the workflow design, as dynamic secret access is fundamentally prohibited for security.

Required changes:

  • Remove dynamic secret access in lines 21 and 53.
  • Replace with explicit secret references for each allowed actor, using conditionals.
Suggested changeset 1
.github/workflows/dryrun-manage-github-repositories.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/dryrun-manage-github-repositories.yml b/.github/workflows/dryrun-manage-github-repositories.yml
--- a/.github/workflows/dryrun-manage-github-repositories.yml
+++ b/.github/workflows/dryrun-manage-github-repositories.yml
@@ -16,15 +16,26 @@
   manage-github-repositories:
     runs-on: ubuntu-latest
     steps:
-      - name: Check token permissions
+      - name: Check token permissions for user1
+        if: github.actor == 'user1'
         run: |
-          if [ -z "${{ secrets[format('GHP_{0}', github.actor)] }}" ]; then
-            echo "No valid PAT found for ${{github.actor}}"
+          if [ -z "${{ secrets.GHP_user1 }}" ]; then
+            echo "No valid PAT found for user1"
             exit 1
           else
-            echo "Found valid PAT for ${{github.actor}}"
+            echo "Found valid PAT for user1"
           fi
 
+      - name: Check token permissions for user2
+        if: github.actor == 'user2'
+        run: |
+          if [ -z "${{ secrets.GHP_user2 }}" ]; then
+            echo "No valid PAT found for user2"
+            exit 1
+          else
+            echo "Found valid PAT for user2"
+          fi
+
       - name: Checkout repo
         uses: actions/checkout@v3
         with:
@@ -46,8 +52,16 @@
         run: |
           ansible-galaxy collection install git+https://github.com/opentelekomcloud/ansible-collection-gitcontrol.git
 
-      - name: Test the management of github repositories with Ansible
+      - name: Test the management of github repositories with Ansible (user1)
+        if: github.actor == 'user1'
         run: |
           pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff
         env:
-          API_TOKEN: ${{ secrets[format('GHP_{0}', github.actor)] }}
+          API_TOKEN: ${{ secrets.GHP_user1 }}
+
+      - name: Test the management of github repositories with Ansible (user2)
+        if: github.actor == 'user2'
+        run: |
+          pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff
+        env:
+          API_TOKEN: ${{ secrets.GHP_user2 }}
EOF
@@ -16,15 +16,26 @@
manage-github-repositories:
runs-on: ubuntu-latest
steps:
- name: Check token permissions
- name: Check token permissions for user1
if: github.actor == 'user1'
run: |
if [ -z "${{ secrets[format('GHP_{0}', github.actor)] }}" ]; then
echo "No valid PAT found for ${{github.actor}}"
if [ -z "${{ secrets.GHP_user1 }}" ]; then
echo "No valid PAT found for user1"
exit 1
else
echo "Found valid PAT for ${{github.actor}}"
echo "Found valid PAT for user1"
fi

- name: Check token permissions for user2
if: github.actor == 'user2'
run: |
if [ -z "${{ secrets.GHP_user2 }}" ]; then
echo "No valid PAT found for user2"
exit 1
else
echo "Found valid PAT for user2"
fi

- name: Checkout repo
uses: actions/checkout@v3
with:
@@ -46,8 +52,16 @@
run: |
ansible-galaxy collection install git+https://github.com/opentelekomcloud/ansible-collection-gitcontrol.git

- name: Test the management of github repositories with Ansible
- name: Test the management of github repositories with Ansible (user1)
if: github.actor == 'user1'
run: |
pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff
env:
API_TOKEN: ${{ secrets[format('GHP_{0}', github.actor)] }}
API_TOKEN: ${{ secrets.GHP_user1 }}

- name: Test the management of github repositories with Ansible (user2)
if: github.actor == 'user2'
run: |
pipenv run ansible-playbook playbook.yaml -e api_token=$API_TOKEN --check --diff
env:
API_TOKEN: ${{ secrets.GHP_user2 }}
Copilot is powered by AI and may make mistakes. Always verify output.