feat: validate GitHub App permissions via API and add tests

jcfr · jcfr · commit 6bac163050ea · 2025-02-28T13:38:14.000-05:00
- Use `octokit.rest.users.getByUsername` to determine actor type (`User` or `Bot`)
- Fetch GitHub App installation details with `octokit.rest.apps.getRepoInstallation` for permission validation.
- Ensure GitHub Apps have `"issues"` permission set to `"write"` before allowing execution.
- Add test cases for GitHub App actors
diff --git a/README.md b/README.md
@@ -190,7 +190,7 @@ As seen above, we have a single example step. Perhaps you would actually use a r
 | `success_reaction` | `true` | `+1` | The reaction to add to the comment that triggered the Action if its execution was successful |
 | `failure_reaction` | `true` | `-1` | The reaction to add to the comment that triggered the Action if its execution failed |
 | `allowed_contexts` | `true` | `pull_request` | A comma separated list of comment contexts that are allowed to trigger this IssueOps command. Pull requests and issues are the only currently supported contexts. To allow IssueOps commands to be invoked from both PRs and issues, set this option to the following: `"pull_request,issue"`. By default, the only place this Action will allow IssueOps commands from is pull requests |
-| `permissions` | `true` | `"write,admin"` | The allowed GitHub permissions an actor can have to invoke IssueOps commands |
+| `permissions` | `true` | `"write,admin"` | The allowed GitHub permissions an actor can have to invoke IssueOps commands. Note that permission check for GitHub App ignores this and instead expects "issues" permission set to "write". |
 | `allow_drafts` | `true` | `"false"` | Whether or not to allow this IssueOps command to be run on draft pull requests |
 | `allow_forks` | `true` | `"false"` | Whether or not to allow this IssueOps command to be run on forked pull requests |
 | `skip_ci` | `true` | `"false"` | Whether or not to require passing CI checks before this IssueOps command can be run |
diff --git a/__tests__/functions/valid-permissions.test.js b/__tests__/functions/valid-permissions.test.js
@@ -16,13 +16,24 @@ beforeEach(() => {
 
   octokit = {
     rest: {
+      users: {
+        getByUsername: jest.fn().mockReturnValueOnce({
+          status: 200,
+          data: {
+            type: 'User'
+          }
+        })
+      },
       repos: {
         getCollaboratorPermissionLevel: jest.fn().mockReturnValueOnce({
           status: 200,
           data: {
             permission: 'write'
           }
         })
+      },
+      apps: {
+        getRepoInstallation: jest.fn()
       }
     }
   }
@@ -61,3 +72,71 @@ test('fails to get actor permissions due to a bad status code', async () => {
   )
   expect(setOutputMock).toHaveBeenCalledWith('actor', 'monalisa')
 })
+
+test('determines that a GitHub App has valid permissions', async () => {
+  context.actor = 'github-actions[bot]'
+
+  octokit.rest.users.getByUsername.mockReturnValueOnce({
+    status: 200,
+    data: {
+      type: 'Bot'
+    }
+  })
+
+  octokit.rest.apps.getRepoInstallation.mockReturnValueOnce({
+    status: 200,
+    data: {
+      permissions: {
+        issues: 'write'
+      }
+    }
+  })
+
+  expect(await validPermissions(octokit, context)).toEqual(true)
+  expect(setOutputMock).toHaveBeenCalledWith('actor', 'github-actions[bot]')
+})
+
+test('determines that a GitHub App does not have valid permissions', async () => {
+  context.actor = 'monalisa[bot]'
+
+  octokit.rest.users.getByUsername.mockReturnValueOnce({
+    status: 200,
+    data: {
+      type: 'Bot'
+    }
+  })
+
+  octokit.rest.apps.getRepoInstallation.mockReturnValueOnce({
+    status: 200,
+    data: {
+      permissions: {
+        issues: 'read'
+      }
+    }
+  })
+
+  expect(await validPermissions(octokit, context)).toEqual(
+    '👋 __monalisa[bot]__ does not have "issues" permission set to "write". Current permissions: {"issues":"read"}'
+  )
+  expect(setOutputMock).toHaveBeenCalledWith('actor', 'monalisa[bot]')
+})
+
+test('fails to fetch installation details for GitHub App', async () => {
+  context.actor = 'monalisa[bot]'
+
+  octokit.rest.users.getByUsername.mockReturnValueOnce({
+    status: 200,
+    data: {
+      type: 'Bot'
+    }
+  })
+
+  octokit.rest.apps.getRepoInstallation.mockReturnValueOnce({
+    status: 500
+  })
+
+  expect(await validPermissions(octokit, context)).toEqual(
+    'Failed to fetch GitHub App installation details: Status 500'
+  )
+  expect(setOutputMock).toHaveBeenCalledWith('actor', 'monalisa[bot]')
+})
diff --git a/action.yml b/action.yml
@@ -33,7 +33,7 @@ inputs:
     required: true
     default: "pull_request"
   permissions:
-    description: 'The allowed GitHub permissions an actor can have to invoke IssueOps commands - Example: "write,admin"'
+    description: 'The allowed GitHub permissions an actor can have to invoke IssueOps commands - Example: "write,admin". Permission check for GitHub App ignores this and instead expects "issues" permission set to "write".'
     required: true
     default: "write,admin"
   allow_drafts:
@@ -57,7 +57,7 @@ inputs:
     required: true
     default: "|"
   allowlist:
-    description: 'A comma separated list of GitHub usernames or teams that should be allowed to use the IssueOps commands configured in this Action. If unset, then all users meeting the "permissions" requirement will be able to run commands. Example: "monalisa,octocat,my-org/my-team"'
+    description: 'A comma separated list of GitHub usernames or teams that should be allowed to use the IssueOps commands configured in this Action. If unset, then all users meeting the "permissions" requirement will be able to run commands. Example: "monalisa,monalisa[bot],octocat,my-org/my-team"'
     required: false
     default: "false"
   allowlist_pat:
diff --git a/src/functions/valid-permissions.js b/src/functions/valid-permissions.js
@@ -13,6 +13,44 @@ export async function validPermissions(octokit, context) {
 
   core.setOutput('actor', context.actor)
 
+  // Get Actor Type from GitHub API
+  const userRes = await octokit.rest.users.getByUsername(
+    {
+    username: context.actor
+    }
+  )
+
+  if (userRes.status !== 200) {
+    return `Fetch user details returns non-200 status: ${userRes.status}`
+  }
+
+  const actorType = userRes.data.type; // "User" or "Bot"
+  core.info(`🔍 Detected actor type: ${actorType} (${context.actor})`);
+
+  // Handle GitHub Apps (Bots)
+  if (actorType === 'Bot') {
+    // Fetch installation details for the GitHub App
+    const installationRes = await octokit.rest.apps.getRepoInstallation(
+      {
+        owner: context.repo.owner,
+        repo: context.repo.repo
+      }
+    )
+
+    if (installationRes.status !== 200) {
+      return `Failed to fetch GitHub App installation details: Status ${installationRes.status}`
+    }
+
+    const appPermissions = installationRes.data.permissions || {};
+
+    // Ensure the bot has "issues" permission set to "write"
+    if (appPermissions.issues !== 'write') {
+      return `👋 __${context.actor}__ does not have "issues" permission set to "write". Current permissions: ${JSON.stringify(appPermissions)}`;
+    }
+
+    return true
+  }
+
   // Get the permissions of the user who made the comment
   const permissionRes = await octokit.rest.repos.getCollaboratorPermissionLevel(
     {
