create a new allow_github_apps input to allow Apps to be disabled if need be

GrantBirki · GrantBirki · commit 0a296294bcfb · 2025-02-28T20:48:24.000-08:00
diff --git a/__tests__/functions/valid-permissions.test.js b/__tests__/functions/valid-permissions.test.js
@@ -11,6 +11,7 @@ beforeEach(() => {
   jest.spyOn(core, 'setOutput').mockImplementation(() => {})
   jest.spyOn(core, 'info').mockImplementation(() => {})
   process.env.INPUT_PERMISSIONS = 'write,admin'
+  process.env.INPUT_ALLOW_GITHUB_APPS = true
 
   context = {
     repo: {
@@ -67,6 +68,7 @@ test('determines that a user has does not valid permissions to invoke the Action
     '👋 __monalisa__, seems as if you have not write/admin permissions in this repo, permissions: read'
   )
   expect(setOutputMock).toHaveBeenCalledWith('actor', 'monalisa')
+  expect(setOutputMock).toHaveBeenCalledWith('actor_type', 'User')
 })
 
 test('fails to get actor information', async () => {
@@ -114,6 +116,7 @@ test('determines that a GitHub App has valid permissions', async () => {
 
   expect(await validPermissions(octokit, context)).toEqual(true)
   expect(setOutputMock).toHaveBeenCalledWith('actor', 'github-actions[bot]')
+  expect(setOutputMock).toHaveBeenCalledWith('actor_type', 'Bot')
   expect(infoMock).toHaveBeenCalledWith(
     `🔍 Detected actor type: Bot (${context.actor})`
   )
@@ -142,6 +145,28 @@ test('determines that a GitHub App does not have valid permissions', async () =>
     '👋 __monalisa[bot]__ does not have "issues" permission set to "write". Current permissions: {"issues":"read"}'
   )
   expect(setOutputMock).toHaveBeenCalledWith('actor', 'monalisa[bot]')
+  expect(setOutputMock).toHaveBeenCalledWith('actor_type', 'Bot')
+})
+
+test('fails since GitHub Apps are configured to be rejected', async () => {
+  process.env.INPUT_ALLOW_GITHUB_APPS = false
+  context.actor = 'monalisa[bot]'
+
+  octokit.rest.users.getByUsername = jest.fn().mockReturnValueOnce({
+    status: 200,
+    data: {
+      type: 'Bot'
+    }
+  })
+
+  expect(await validPermissions(octokit, context)).toEqual(
+    'GitHub Apps are not allowed to use this Action based on the "allow_github_apps" input.'
+  )
+  expect(setOutputMock).toHaveBeenCalledWith('actor', 'monalisa[bot]')
+  expect(setOutputMock).toHaveBeenCalledWith('actor_type', 'Bot')
+  expect(infoMock).toHaveBeenCalledWith(
+    `🔍 Detected actor type: Bot (${context.actor})`
+  )
 })
 
 test('fails to fetch installation details for GitHub App', async () => {
diff --git a/__tests__/schemas/action.schema.yml b/__tests__/schemas/action.schema.yml
@@ -197,6 +197,16 @@ inputs:
     default:
       type: string
       required: true
+  allow_github_apps:
+    description:
+      type: string
+      required: true
+    required:
+      type: boolean
+      required: true
+    default:
+      type: string
+      required: true
 
 # outputs section
 outputs:
@@ -264,3 +274,7 @@ outputs:
     description:
       type: string
       required: true
+  actor_type:
+    description:
+      type: string
+      required: true
diff --git a/action.yml b/action.yml
@@ -72,6 +72,10 @@ inputs:
     description: 'If set to "true", allow forks to bypass the review requirement if the operation is being made on a pull request from a fork. This option is potentially dangerous if you are checking out code in your workflow as a result of invoking this Action. If the code you are checking out has not been reviewed, then you might open yourself up to a TOCTOU vulnerability. You should always ensure that the code you are checking out has been reviewed, and that you checkout an exact commit sha rather than a ref.'
     required: true
     default: "false"
+  allow_github_apps:
+    description: 'If set to "true", allow GitHub Apps to interact with or trigger this Action view issue/pull_request comments. If you want to explicitly prevent GitHub Apps from invoking this Action, then set this to "false".'
+    required: true
+    default: "true"
 outputs:
   triggered:
     description: 'The string "true" if the trigger was found, otherwise the string "false" - Just because the workflow was triggered does not mean it should continue. This is a step 1/2 check'
@@ -105,6 +109,8 @@ outputs:
     description: 'The ref if being used in the context of a pull request'
   base_ref:
     description: The base ref that the pull request is merging into (if available and run in the context of a pull request)
+  actor_type:
+    description: 'The type of user/actor that triggered the IssueOps command. Values can be "User" or "Bot"'
 runs:
   using: "node20"
   main: "dist/index.js"
diff --git a/dist/index.js b/dist/index.js
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/src/functions/valid-permissions.js b/src/functions/valid-permissions.js
@@ -11,6 +11,10 @@ export async function validPermissions(octokit, context) {
     core.getInput('permissions', {required: true})
   )
 
+  const allowGitHubApps = core.getBooleanInput('allow_github_apps', {
+    required: true
+  })
+
   core.setOutput('actor', context.actor)
 
   // Get Actor Type from GitHub API
@@ -24,9 +28,14 @@ export async function validPermissions(octokit, context) {
 
   const actorType = userRes.data.type // "User" or "Bot"
   core.info(`🔍 Detected actor type: ${actorType} (${context.actor})`)
+  core.setOutput('actor_type', actorType)
 
   // Handle GitHub Apps (Bots)
   if (actorType === 'Bot') {
+    if (!allowGitHubApps) {
+      return `GitHub Apps are not allowed to use this Action based on the "allow_github_apps" input.`
+    }
+
     // Fetch installation details for the GitHub App
     const installationRes = await octokit.rest.apps.getRepoInstallation({
       ...context.repo
