eladchen/protected-workflows

following setup instructions generates error.

justinengland opened this issue · 5 comments

I get the following error,

GitHub Actions / .github/workflows/protected-workflows.yml

Error

No event triggers defined in `on`

using the following config test file

# "events" is a map between Github events and rules.
# possible event names can be seen at https://docs.github.com/en/actions/reference/events-that-trigger-workflows
events:
  # 'pull_request' is the Github event name.
  # '&pull_request' is a YAML anchor
  pull_request: &pull_request

    # Authorize any user when package.json or anything under .github folder was not changed.
    - trustAnyone: true
      paths:
        disallowed:
          #- ".github/**"
          - "package.json"

    # Authorize "bot" user when CHANGELOG.md is the only changed file.
    - trustedUserNames:
        - "bot"
      paths:
        allowed:
          - "CHANGELOG.md"

    # Authorize collaborators when package.json is the only changed file.
    - trustCollaborators: true
      paths:
        allowed:
          - "package.json"

  # Reference the "pull_request" anchor to reuse its configuration
  # Read about "pull_request_target" in this blog post:
  # https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/
  pull_request_target: *pull_request

# 'anyEvent' value is a rule, and will be used when an event specific configuration is not set.
# It is automatically added in case it was not explictly set and it does not supports the 'paths' property.
anyEvent:
  trustAnyone: false
  trustCollaborators: true
  trustedUserNames: []

can you provide any guidance on how this is being setup incorrectly on my end?

The file protected-workflows.yml was placed in the wrong directory.

It should be created within

.github/protected-workflows.yml

not within

.github/workflows/protected-workflows.yml

tyvm! second question. can you help me with an example to allow pushes? i am not quite sure i follow the instructions on the anchor stuff.

I am getting

Runner name: 'ip-172-31-1-254'
Machine name: 'ip-172-31-1-254'
Prepare workflow directory
Prepare all required actions
Getting action download info
Download action repository 'actions/checkout@v2'
Error: A task was canceled.

while running this file

events:
  pull_request: &pull_request
    - trustedUserNames:
      - "justinengland"
  push:
    - trustAnyone: true
  # '*some-anchor-id' is a YAML alias
  pull_request_target: *pull_request

# 'anyEvent' value is a rule, and will be used when an event specific configuration is not set.
# It is automatically added in case it was not explictly set and it does not supports the 'paths' property.
anyEvent:
  trustAnyone: false
  trustCollaborators: true
  trustedUserNames: [justinengland]

my understanding is this should allow runs on push. is that an incorrect understanding?

events:
  pull_request: &config
    - trustAnyone: true
      paths:
        disallowed:
          - ".github/**"
          - ".github/protected-workflows.yml"

    - trustedUserNames:
        - "justinengland"
        - "nirajpathak13"

  pull_request_target: *config
  push: *config

# 'anyEvent' value is a rule, and will be used when an event specific configuration is not set.
# It is automatically added in case it was not explictly set and it does not supports the 'paths' property.
anyEvent:
  trustAnyone: false
  trustCollaborators: false
  trustedUserNames: []

found this example config in your playground project.

I suspect that the project is gagging on my inclusion of an upstream action that I do not own

on:
  push:
    branches:
      - main
      - "*"
  pull_request:
    branches:
      - main

jobs:
  packer_validate:
    runs-on: [xxxxx]
    timeout-minutes: 60
    strategy:
      fail-fast: true
      max-parallel: 4
    steps:
      - uses: actions/checkout@v2

Hi @justinengland - Could you please help me understand what you're hoping to achieve, and what the config you use looks like?