GitHub分支保护规则与工作流权限
我想实现以下规则,即每个(人)用户必须打开PR来更改受保护分支上的东西,而工作流以发布新版本可以增加同一受保护分支的版本号。
分支保护已经到位,还检查了“ Include Administrator”复选框。因此,没有人可以小心推到该分支。
现在,当我想从工作流中推出一些东西时,我会收到与
name: Build pipeline
"on":
push:
branches:
- 'master'
defaults:
run:
shell: bash
jobs:
release:
runs-on:
- self-hosted
- default-runner
needs: []
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0
clean: true
- name: demo push
if: github.ref == 'refs/heads/dev'
run: |
git config --global user.email "[email protected]"
git config --global user.name "Github Actions Runner"
# normally we would generate the release notes here etc, increase the version,... though lets keep the example simple
date >> test.txt
git add test.txt
git commit -m "test2" test.txt
git push
设置作业时作为用户收到的相同错误消息,打印了作业的许可:
GITHUB_TOKEN Permissions
Actions: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write
然后,步骤失败了以下输出:
[email protected]
user.name=Github Actions Runner
core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
remote.origin.url=https://github.xxx.com/xx/xxx
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
gc.auto=0
http.https://github.xxx.com/.extraheader=AUTHORIZATION: basic ***
branch.dev.remote=origin
branch.dev.merge=refs/heads/dev
[dev 7ddff59] test2
1 file changed, 1 insertion(+)
create mode 100644 test.txt
remote: error: GH006: Protected branch update failed for refs/heads/dev.
remote: error: You're not authorized to push to this branch. Visit https://docs.github.com/enterprise/3.2/articles/about-protected-branches/ for more information.
To https://github.xxx.com/xx/xxx
! [remote rejected] dev -> dev (protected branch hook declined)
error: failed to push some refs to 'https://github.xxx.com/xx/xxx'
Error: Process completed with exit code 1.
因此问题是:我如何强制执行人类用户打开PR,在合并之前对其进行审查和检查,而工作流可以直接操纵(受保护的)分支?
I would like to implement the rule that every (human) user has to open a PR to change something on the protected branch while the workflow to release the new version is able to increase the version number on that same protected branch.
The branch protection is in place, also the "include administrators" checkbox is checked. So noone can accidentially push to that branch.
Now, when I want to push something from a workflow I get the same error message that I get as a user
name: Build pipeline
"on":
push:
branches:
- 'master'
defaults:
run:
shell: bash
jobs:
release:
runs-on:
- self-hosted
- default-runner
needs: []
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
fetch-depth: 0
clean: true
- name: demo push
if: github.ref == 'refs/heads/dev'
run: |
git config --global user.email "[email protected]"
git config --global user.name "Github Actions Runner"
# normally we would generate the release notes here etc, increase the version,... though lets keep the example simple
date >> test.txt
git add test.txt
git commit -m "test2" test.txt
git push
while setting up the job, the permission of the job are printed out:
GITHUB_TOKEN Permissions
Actions: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write
and then the step fails with the following output:
[email protected]
user.name=Github Actions Runner
core.repositoryformatversion=0
core.filemode=true
core.bare=false
core.logallrefupdates=true
remote.origin.url=https://github.xxx.com/xx/xxx
remote.origin.fetch=+refs/heads/*:refs/remotes/origin/*
gc.auto=0
http.https://github.xxx.com/.extraheader=AUTHORIZATION: basic ***
branch.dev.remote=origin
branch.dev.merge=refs/heads/dev
[dev 7ddff59] test2
1 file changed, 1 insertion(+)
create mode 100644 test.txt
remote: error: GH006: Protected branch update failed for refs/heads/dev.
remote: error: You're not authorized to push to this branch. Visit https://docs.github.com/enterprise/3.2/articles/about-protected-branches/ for more information.
To https://github.xxx.com/xx/xxx
! [remote rejected] dev -> dev (protected branch hook declined)
error: failed to push some refs to 'https://github.xxx.com/xx/xxx'
Error: Process completed with exit code 1.
So the question is: how can I enforce the human users to open a PR, let it reviewed and checked before it can be merged, while the workflows can directly manipulate the (protected) branch?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
经过一项研究,我发现有浮雕(2022年6月)没有直截了当的解决方案( source )。
有两个解决方法。一种是删除工作流程中的Zranch保护,然后将其恢复。风险是工作流程在(例如,当工作流跑步者崩溃时)和分支保持不受保护之间的破裂。另一个风险是,用户可能会意外或故意推到现在未保护的分支机构。 (例如,触发释放构建等待等待,直到删除分支保护并推到该分支)。
另一种解决方案是从人用户中删除管理员权利,以便他们需要PR来更改受保护的分支。在发布过程中,使用使用管理权权利的技术用户的PAT(不是
$ {{secrets.github_token}}})。在分支保护中,“执行管理”选项被禁用。尽管有一个功能请求涵盖此主题。
After some research I found out that there is currenly (June 2022) no straight forward solution (source).
There are two workarounds. One is to remove the zranch protection in the workflow and restore it afterwards. The risk is that the workflow breaks in between (e.g. when the workflow runner crashes) and the branch stays unprotected. Another risk is that it could happen that a user accidentially or deliberately pushes to the now unprotected branch. (E.g. trigger a release build wait until the branch protection is removed and push to that branch).
The alternative solution is to remove the admin rights from the human users so that they need a PR to change the protected branch. During a release build a PAT of a technical user with admin rights is used (not
${{ secrets.GITHUB_TOKEN }}). In the branch protection the "enforce admins" option is disabled.Though there is a feature request covering this topic.