diff --git a/terraform/deployments/github/main.tf b/terraform/deployments/github/main.tf index e5007cb3b..aa5d842bc 100644 --- a/terraform/deployments/github/main.tf +++ b/terraform/deployments/github/main.tf @@ -242,6 +242,24 @@ resource "github_branch_protection" "govuk_repos" { } } +resource "github_actions_repository_permissions" "gha_permissions" { + for_each = { + for name, repo in local.repositories : name => data.github_repository.govuk["alphagov/${name}"] + if try(repo.restrict_github_actions.enabled, false) && contains(keys(data.github_repository.govuk), "alphagov/${name}") + } + + repository = each.key + + enabled = true + allowed_actions = "selected" + + allowed_actions_config { + github_owned_allowed = true + patterns_allowed = local.repositories[each.key].restrict_github_actions.restricted_action_patterns + verified_allowed = false + } +} + # # Only the list of repositories which will have access to a secret is created/modified # here, the secret should have been created in the GitHub UI in advance by a diff --git a/terraform/deployments/github/repos.yml b/terraform/deployments/github/repos.yml index 879d51e1d..a835a1d42 100644 --- a/terraform/deployments/github/repos.yml +++ b/terraform/deployments/github/repos.yml @@ -7,7 +7,35 @@ access_levels: - Dependency Review scan / dependency-review-pr - Lint Ruby / Run RuboCop - Security Analysis / Run Brakeman - +github_actions_sets: + platform_engineering_repository_actions: &platform_engineering_repository_actions + # Trusted (allow any version) + - actions/* + - alphagov/* + - docker/* + - ruby/* + - slackapi/* + - hashicorp/* + - ./.github/* + - helm/* + - azure/* + - dependabot/* + # Untrusted (require specific version) + - anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 + - aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a + - dflook/terraform-version@c397d406dba225ea3a19d04a7308a310f0fc83f1 + - dflook/terraform-version@c397d406dba225ea3a19d04a7308a310f0fc83f1 + - github/codeql-action/analyze@96f518a34f7a870018057716cc4d7a5c014bd61c + - github/codeql-action/autobuild@96f518a34f7a870018057716cc4d7a5c014bd61c + - github/codeql-action/init@96f518a34f7a870018057716cc4d7a5c014bd61c + - github/codeql-action/upload-sarif@96f518a34f7a870018057716cc4d7a5c014bd61c + - golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 + - JamesIves/github-pages-deploy-action@6c2d9db40f9296374acc17b90404b6e8864128c8 + - jbergstroem/hadolint-gh-action@eac45b98f6d761309202bd201205a8f8c988bfad + - ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 + - sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 + - terraform-linters/setup-tflint@ae78205cfffec9e8d93fd2b3115c7e9d3166d4b6 + - tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c repos: account-api: can_be_deployed: true @@ -19,7 +47,6 @@ repos: - Dependency Review scan / dependency-review-pr - Security Analysis / Run Brakeman - Lint Ruby / Run RuboCop - asset-manager: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/asset-manager.html" @@ -31,7 +58,6 @@ repos: - Dependency Review scan / dependency-review-pr - Security Analysis / Run Brakeman - Lint Ruby / Run RuboCop - authenticating-proxy: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/authenticating-proxy.html" @@ -39,7 +65,6 @@ repos: standard_contexts: *standard_govuk_rails_checks additional_contexts: - Test Ruby - bouncer: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/bouncer.html" @@ -48,15 +73,18 @@ repos: additional_contexts: - Test Ruby - Lint Ruby / Run RuboCop - bulk-changer: required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - Test - - bulk-merger: {} - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions + bulk-merger: + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions collections: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/collections.html" @@ -73,7 +101,6 @@ repos: - Dependency Review scan / dependency-review-pr - Security Analysis / Run Brakeman - Lint Ruby / Run RuboCop - collections-publisher: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/collections-publisher.html" @@ -83,14 +110,12 @@ repos: - Lint JavaScript / Run Standardx - Lint SCSS / Run Stylelint - Test Ruby / Run RSpec - content-block-editor: required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - Playwright / Run Tests - Vitest / Run Tests - content-data-admin: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/content-data-admin.html" @@ -100,7 +125,9 @@ repos: - Test Ruby - Lint SCSS / Run Stylelint - Lint JavaScript / Run Standardx - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions content-data-api: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/content-performance-manager.html" @@ -108,7 +135,9 @@ repos: standard_contexts: *standard_govuk_rails_checks additional_contexts: - Test Ruby / Run RSpec - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions content-modelling-e2e: required_status_checks: standard_contexts: *standard_security_checks @@ -116,7 +145,6 @@ repos: - Lint / Eslint - Prettier / Check - Playwright Tests / Run Tests - content-publisher: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/content-publisher.html" @@ -127,7 +155,6 @@ repos: - Lint JavaScript / Run Standardx - Test JavaScript / Run Jasmine - Test Ruby / Run RSpec - content-store: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/content-store.html" @@ -135,7 +162,6 @@ repos: standard_contexts: *standard_govuk_rails_checks additional_contexts: - Test Ruby / Run RSpec - content-tagger: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/content-tagger.html" @@ -145,19 +171,16 @@ repos: - Lint SCSS / Run Stylelint - Lint JavaScript / Run Standardx - Test Ruby / Run RSpec - data-community-tech-docs: homepage_url: "https://docs.data-community.publishing.service.gov.uk/" need_production_access_to_merge: false allow_squash_merge: true push_allowances: [] - datagovuk-tech-docs: homepage_url: "https://guidance.data.gov.uk/" need_production_access_to_merge: false allow_squash_merge: true push_allowances: [] - email-alert-api: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/email-alert-api.html" @@ -169,7 +192,6 @@ repos: - Dependency Review scan / dependency-review-pr - Security Analysis / Run Brakeman - Lint Ruby / Run RuboCop - email-alert-frontend: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/email-alert-frontend.html" @@ -180,7 +202,6 @@ repos: - Lint JavaScript / Run Standardx - Test JavaScript / Run Jasmine - Test Ruby / Run RSpec - email-alert-service: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/email-alert-service.html" @@ -189,7 +210,6 @@ repos: additional_contexts: - Lint Ruby / Run RuboCop - Test Ruby / Run RSpec - feedback: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/feedback.html" @@ -200,7 +220,6 @@ repos: - Lint SCSS / Run Stylelint - Test JavaScript / Run Jasmine - Test Ruby / Run RSpec - finder-frontend: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/finder-frontend.html" @@ -212,7 +231,6 @@ repos: - Lint JavaScript / Run Standardx - Test JavaScript / Run Jasmine - Test Ruby / Run RSpec - frontend: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/frontend.html" @@ -227,7 +245,6 @@ repos: - Dependency Review scan / dependency-review-pr - Security Analysis / Run Brakeman - Lint Ruby / Run RuboCop - gds-api-adapters: homepage_url: "http://www.rubydoc.info/github/alphagov/gds-api-adapters" pact_publisher: true @@ -238,14 +255,12 @@ repos: - CodeQL SAST scan / Analyze - Dependency Review scan / dependency-review-pr - test - gds-sso: publishes_gem: true required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - government-frontend: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/government-frontend.html" @@ -256,7 +271,6 @@ repos: - Lint JavaScript / Run Standardx - Test JavaScript / Run Jasmine - Test Ruby / Run Minitest - govspeak: homepage_url: "https://govspeak-preview.publishing.service.gov.uk/" publishes_gem: true @@ -264,7 +278,6 @@ repos: standard_contexts: *standard_security_checks additional_contexts: - test - govspeak-preview: can_be_deployed: true homepage_url: "https://govspeak-preview.publishing.service.gov.uk/" @@ -272,10 +285,8 @@ repos: standard_contexts: *standard_security_checks additional_contexts: - test - govuk-analytics-engineering: visibility: private - govuk-chat: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/govuk-chat.html" @@ -287,7 +298,6 @@ repos: - Lint ERB / Run ErbLint - Test JavaScript / Run Jasmine - Test Ruby / Run RSpec - govuk-chat-evaluation: homepage_url: "https://docs.publishing.service.gov.uk/apps/govuk-chat-evaluation.html" required_status_checks: @@ -297,7 +307,6 @@ repos: - Lint - Format - Type checks - govuk-chat-gradio-prototype: visibility: private homepage_url: "https://docs.publishing.service.gov.uk/repos/govuk-chat-gradio-prototype.html" @@ -308,38 +317,36 @@ repos: - Lint - Format - Type checks - govuk-content-api-docs: homepage_url: "https://content-api.publishing.service.gov.uk" need_production_access_to_merge: false allow_squash_merge: true push_allowances: [] - govuk-dependabot-merger: required_status_checks: standard_contexts: *standard_security_checks - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-dependency-checker: can_be_deployed: true required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - Test - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-developer-docs: allow_squash_merge: true can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk" need_production_access_to_merge: false - govuk-display-screen: need_production_access_to_merge: false allow_squash_merge: true standard_contexts: *standard_security_checks - teams: { - govuk: "maintain" - } - + teams: {govuk: "maintain"} govuk-dns-tf: visibility: private strict: true @@ -347,109 +354,116 @@ repos: required_status_checks: additional_contexts: - test - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-e2e-tests: can_be_deployed: true - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-exporter: can_be_deployed: true required_status_checks: additional_contexts: - Test Go - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-fastly: can_be_deployed: true strict: true up_to_date_branches: true - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-fastly-secrets: visibility: private strict: true up_to_date_branches: true - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-graphql: branch_protection: false can_be_deployed: true - govuk-infrastructure: strict: true up_to_date_branches: true required_pull_request_reviews: require_code_owner_reviews: true - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions terraform-govuk-infrastructure-sensitive: visibility: private strict: true up_to_date_branches: true - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions terraform-govuk-tfe-workspacer: strict: true up_to_date_branches: true - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-mobile-android-app: allow_squash_merge: true branch_protection: false - govuk-mobile-android-homepage: allow_squash_merge: true branch_protection: false - govuk-mobile-android-onboarding: allow_squash_merge: true branch_protection: false - govuk-mobile-android-services: allow_squash_merge: true branch_protection: false - govuk-mobile-ios-app: allow_squash_merge: true branch_protection: false - govuk-mobile-ios-homepage: allow_squash_merge: true branch_protection: false - govuk-mobile-ios-onboarding: allow_squash_merge: true branch_protection: false - govuk-mobile-ios-services: allow_squash_merge: true branch_protection: false - govuk-mobile-ios-ui-components: allow_squash_merge: true branch_protection: false - govuk-reports-prototype: need_production_access_to_merge: false allow_squash_merge: true branch_protection: false - govuk-rota-generator: required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-ruby-images: can_be_deployed: true - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk_ab_testing: publishes_gem: true required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - govuk_admin_template: publishes_gem: true required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - govuk_app_config: can_be_deployed: true homepage_url: "https://rubygems.org/gems/govuk_app_config" @@ -458,7 +472,9 @@ repos: standard_contexts: *standard_security_checks additional_contexts: - test - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk_chat_private: homepage_url: "https://docs.publishing.service.gov.uk/repos/govuk_chat_private.html" visibility: private @@ -471,7 +487,6 @@ repos: - Lint Ruby / Run RuboCop - Run RSpec - Test GOV.UK Chat / Run RSpec - govuk_document_types: homepage_url: "https://docs.publishing.service.gov.uk/document-types.html" publishes_gem: true @@ -479,14 +494,12 @@ repos: standard_contexts: *standard_security_checks additional_contexts: - test - govuk_message_queue_consumer: publishes_gem: true required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - govuk_content_block_tools: homepage_url: "https://rubygems.org/gems/content_block_tools" publishes_gem: true @@ -494,7 +507,6 @@ repos: standard_contexts: *standard_security_checks additional_contexts: - test - govuk_personalisation: homepage_url: "https://github.com/alphagov/govuk_personalisation" publishes_gem: true @@ -502,7 +514,6 @@ repos: standard_contexts: *standard_security_checks additional_contexts: - test - govuk_publishing_components: homepage_url: "https://components.publishing.service.gov.uk" publishes_gem: true @@ -510,7 +521,6 @@ repos: standard_contexts: *standard_security_checks additional_contexts: - test - govuk_schemas: homepage_url: "http://www.rubydoc.info/github/alphagov/govuk_schemas" publishes_gem: true @@ -518,24 +528,23 @@ repos: standard_contexts: *standard_security_checks additional_contexts: - test - govuk_sidekiq: publishes_gem: true required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - govuk_test: publishes_gem: true required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk_web_banners: publishes_gem: true - hmrc-manuals-api: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/hmrc-manuals-api.html" @@ -543,7 +552,6 @@ repos: standard_contexts: *standard_govuk_rails_checks additional_contexts: - Test Ruby / Run RSpec - link-checker-api: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/link-checker-api.html" @@ -555,7 +563,6 @@ repos: - Dependency Review scan / dependency-review-pr - Security Analysis / Run Brakeman - Lint Ruby / Run RuboCop - local-links-manager: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/local-links-manager.html" @@ -566,7 +573,6 @@ repos: - Lint JavaScript / Run Standardx - Lint SCSS / Run Stylelint - Lint Views - locations-api: can_be_deployed: true required_status_checks: @@ -577,7 +583,6 @@ repos: - Dependency Review scan / dependency-review-pr - Security Analysis / Run Brakeman - Lint Ruby / Run RuboCop - manuals-publisher: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/manuals-publisher.html" @@ -589,33 +594,28 @@ repos: - Lint SCSS / Run Stylelint - Test JavaScript / Run Jasmine - Test Ruby / Run RSpec - markdown-toolbar-element: homepage_url: "https://alphagov.github.io/markdown-toolbar-element" required_status_checks: standard_contexts: *standard_security_checks - miller-columns-element: homepage_url: "https://alphagov.github.io/miller-columns-element/" required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - optic14n: publishes_gem: true required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - paste-html-to-govspeak: homepage_url: "https://alphagov.github.io/paste-html-to-govspeak/" required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - places-manager: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/imminence.html" @@ -629,14 +629,15 @@ repos: - Dependency Review scan / dependency-review-pr - Security Analysis / Run Brakeman - Lint Ruby / Run RuboCop - plek: publishes_gem: true required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions publisher: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/publisher.html" @@ -649,7 +650,6 @@ repos: - Lint SCSS / Run Stylelint - Test JavaScript / Run Jasmine - Test Ruby / Run Minitest - publishing-api: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/publishing-api.html" @@ -663,7 +663,6 @@ repos: - Dependency Review scan / dependency-review-pr - Security Analysis / Run Brakeman - Lint Ruby / Run RuboCop - rack-logstasher: publishes_gem: true homepage_url: "https://rubygems.org/gems/rack-logstasher" @@ -671,14 +670,15 @@ repos: standard_contexts: *standard_security_checks additional_contexts: - test - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions rails_translation_manager: publishes_gem: true required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - release: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/repos/release.html" @@ -688,28 +688,36 @@ repos: - Test Ruby - Lint JavaScript / Run Standardx - Lint SCSS / Run Stylelint - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions router: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/repos/router.html" required_status_checks: additional_contexts: - Test Go - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions rubocop-govuk: publishes_gem: true required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions seal: can_be_deployed: true required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions search-admin: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/search-admin.html" @@ -719,7 +727,6 @@ repos: - Lint JavaScript / Run Standardx - Lint SCSS / Run Stylelint - Test Ruby / Run RSpec - search-api: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/search-api.html" @@ -728,7 +735,6 @@ repos: additional_contexts: - Lint Ruby / Run RuboCop - Test Ruby / Run RSpec - search-api-v2: can_be_deployed: true required_status_checks: @@ -736,13 +742,10 @@ repos: standard_contexts: *standard_govuk_rails_checks additional_contexts: - Test Ruby - search-api-v2-dataform: homepage_url: "https://docs.publishing.service.gov.uk/repos/search-api-v2-dataform.html" - search-v2-evaluator: can_be_deployed: true - service-manual-publisher: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/service-manual-publisher.html" @@ -753,7 +756,6 @@ repos: - Lint JavaScript / Run Standardx - Test JavaScript / Run Jasmine - Test Ruby / Run RSpec - short-url-manager: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/short-url-manager.html" @@ -762,7 +764,6 @@ repos: additional_contexts: - Test Ruby / Run RSpec - Lint SCSS / Run Stylelint - signon: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/signon.html" @@ -773,21 +774,21 @@ repos: - Lint JavaScript / Run Standardx - Lint SCSS / Run Stylelint - Test JavaScript / Run Jasmine - siteimprove_api_client: publishes_gem: true required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions slimmer: publishes_gem: true required_status_checks: standard_contexts: *standard_security_checks additional_contexts: - test - smart-answers: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/smart-answers.html" @@ -799,7 +800,6 @@ repos: - Lint SCSS / Run Stylelint - Test JavaScript / Run Jasmine - Test Ruby / Run Minitest - specialist-publisher: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/specialist-publisher.html" @@ -810,7 +810,6 @@ repos: - Lint SCSS / Run Stylelint - Test JavaScript / Run Jasmine - Test Ruby / Run RSpec - static: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/static.html" @@ -821,7 +820,6 @@ repos: - Lint JavaScript / Run Standardx - Lint SCSS / Run Stylelint - Test JavaScript / Run Jasmine - support: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/support.html" @@ -831,7 +829,6 @@ repos: - Test Ruby - Lint JavaScript / Run Standardx - Lint SCSS / Run Stylelint - support-api: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/support-api.html" @@ -839,7 +836,6 @@ repos: standard_contexts: *standard_govuk_rails_checks additional_contexts: - Test Ruby - transition: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/transition.html" @@ -849,7 +845,6 @@ repos: - Integration tests - Test Ruby - Test JavaScript / Run Jasmine - travel-advice-publisher: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/travel-advice-publisher.html" @@ -860,7 +855,6 @@ repos: - Lint JavaScript / Run Standardx - Test JavaScript / Run Jasmine - Test Ruby / Run RSpec - whitehall: can_be_deployed: true homepage_url: "https://docs.publishing.service.gov.uk/apps/whitehall.html" @@ -874,65 +868,74 @@ repos: - Test Ruby / Run Minitest - Lint ERB / Run ERB lint - Prettier / Run Prettier - ckanext-datagovuk: required_status_checks: additional_contexts: - test - datagovuk_find: required_status_checks: additional_contexts: - test - govuk-browser-extension: required_status_checks: additional_contexts: - Test Extension JS - govuk-docker: required_status_checks: additional_contexts: - test - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-mirror: can_be_deployed: true required_status_checks: additional_contexts: - Test Go - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-replatform-test-app: required_status_checks: additional_contexts: - Test - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-rota-announcer: visibility: internal required_status_checks: additional_contexts: - test - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-user-reviewer: visibility: private homepage_url: "https://github.com/alphagov/govuk-rfcs/pull/75" required_status_checks: additional_contexts: - test - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions licensify: can_be_deployed: true visibility: private required_status_checks: additional_contexts: - test - govuk-crd-library: homepage_url: "https://alphagov.github.io/govuk-crd-library/" - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-dns-ui: visibility: private homepage_url: "https://dns.publishing.service.gov.uk" - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-helm-charts: can_be_deployed: true homepage_url: "https://www.gov.uk/" @@ -940,43 +943,46 @@ repos: pull_request_bypassers: - "/govuk-ci" require_code_owner_reviews: true - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-knowledge-graph-search: homepage_url: "https://docs.data-community.publishing.service.gov.uk/tools/govsearch/" - public-asset-checker: homepage_url: "https://govuk-public-asset-checker.herokuapp.com" - govspeak-visual-editor: homepage_url: "https://govspeak-preview.publishing.service.gov.uk/editor" required_pull_request_reviews: pull_request_bypassers: - "alphagov/gov-uk" - govuk-knowledge-graph-gcp: homepage_url: "https://docs.data-community.publishing.service.gov.uk/tools/govgraph/" - github-trello-poster: required_status_checks: additional_contexts: - "CodeQL SAST scan / Analyze" - "Dependency Review scan / dependency-review-pr" - "test" - + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions ckan-mock-harvest-sources: {} govuk-data-science-workshop: {} govuk-mobile-backend: {} govuk-mobile-backend-config: {} - govuk-pact-broker: {} + govuk-pact-broker: + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions govuk-rfcs: {} govuk-s3-mirror: {} - govuk-content-publishing-guidance: { - teams: { - govuk: "maintain" - } - } - govuk-design-guide: { - teams: { - govuk: "maintain" - } - } + govuk-content-publishing-guidance: {teams: {govuk: "maintain"}} + govuk-design-guide: {teams: {govuk: "maintain"}} + ckan-helm: + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions + govuk-platform-internal: + restrict_github_actions: + enabled: true + restricted_action_patterns: *platform_engineering_repository_actions diff --git a/terraform/deployments/github/schemas/repos.schema.json b/terraform/deployments/github/schemas/repos.schema.json index 0f9d83bc9..56901a078 100644 --- a/terraform/deployments/github/schemas/repos.schema.json +++ b/terraform/deployments/github/schemas/repos.schema.json @@ -10,6 +10,13 @@ "items": { "type": "string" } } }, + "github_actions_sets": { + "type": "object", + "additionalProperties": { + "type": "array", + "items": { "type": "string" } + } + }, "repos": { "type": "object", "patternProperties": { @@ -26,6 +33,26 @@ "need_production_access_to_merge": { "type": "boolean" }, "strict": { "type": "boolean" }, "up_to_date_branches": { "type": "boolean" }, + "restrict_github_actions": { + "type": "object", + "properties": { + "enabled": { "type": "boolean", "default": false}, + "restricted_action_patterns": { + "type": "array", + "items": { "type": "string" }, + "default": [], + "examples": [ + "actions/*", + "hashicorp/setup-terraform@*", + "terraform-linters/setup-tflint@ae78205cfffec9e8d93fd2b3115c7e9d3166d4b6" + ] + } + }, + "default": { + "enabled": false, + "restricted_actions_patterns": [] + } + }, "required_pull_request_reviews": { "type": "object", "properties": { @@ -68,4 +95,4 @@ }, "required": ["repos"], "additionalProperties": true -} \ No newline at end of file +}