Github Action将合并限制为仅限管理员

cvxl0en2  于 2023-09-29  发布在  Git
关注(0)|答案(1)|浏览(108)

我试图限制只能通过使用GitHub操作将PR合并到管理员的能力。下面是mergepr.yml
`name:限制对管理员的合并
on:pull_request:分支:- dev - master
作业:限制合并:接续:ubuntu最新版

steps:
  - name: Checkout code
    uses: actions/checkout@v2

  - name: Install GitHub CLI
    run: |
      # Download the GitHub CLI binary for Linux (replace URL with the correct one)
      curl -fsSL https://github.com/cli/cli/releases/download/v2.35.0/gh_2.35.0_linux_amd64.tar.gz -o gh.tar.gz
      tar -xzf gh.tar.gz
      sudo mv gh_* /usr/local/bin/gh
      gh --version
  - name: Set up GitHub CLI
    run: |
      echo "Setting up GitHub CLI"
      gh config set -h github.com ${GITHUB_TOKEN}
  - name: Check if the user is an admin
    run: |
      PR_NUMBER="${{ github.event.pull_request.number }}"
      USER_ROLE=$(gh api users/me/role --jq '.role')
      if [[ $USER_ROLE != '"admin"' ]]; then
        echo "Only admins can merge pull requests into the main branch."
        exit 1
      fi
  - name: Merge the pull request
    run: |
      PR_NUMBER="${{ github.event.pull_request.number }}"
      gh pr merge $PR_NUMBER --auto

当用户为admin时,此GitHub操作预计会通过,但无论用户角色如何,它都会失败。下面是错误日志:Run echo "Setting up GitHub CLI" echo "Setting up GitHub CLI" gh config set -h github.com ${GITHUB_TOKEN} shell: /usr/bin/bash -e {0} Setting up GitHub CLI accepts 2 arg(s), received 0 Error: Process completed with exit code 1.`

eivgtgni

eivgtgni1#

你不能这样传递${GITHUB_TOKEN}。使用${{secrets.GITHUB_TOKEN}}或将其作为环境变量传递(更安全)。
最重要的是,gh config set -h {host}需要两个参数:keyvalue,您提供的是{host}value,而不是key

- name: Set up GitHub CLI
    run: |
      echo "Setting up GitHub CLI"
      gh config set -h github.com <SOMEKEY> $GITHUB_TOKEN
    env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# ⚠️ Warning inlining variables and secrets may open you up to 
  #    script intecjtion attacks.

  - name: Set up GitHub CLI
    run: |
      echo "Setting up GitHub CLI"
      gh config set -h github.com <SOMEKEY> ${{ secrets.GITHUB_TOKEN }}

但是你不应该在配置中设置令牌。gh will automatically pick up the token when you set it in the environment。只需将以下内容添加到下面需要令牌进行身份验证的任务中。

env:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

请务必阅读GitHub Actions加固-脚本注入攻击。

相关问题