Feature request: allow certain users

Question

Feature request: allow certain users

Closed this issue 3 years ago · 5 comments

Hi,

I was thinking about using your action to prevent someone from adding changed *.lock (eg. from yarn, packages, composer) to PRs. This should prevent that someone sneaks in new packages not updated by the core maintainer.

BUT: when I would now configure your action to fail on *.lock I wouldn't be able myself to create new PRs with updated dependencies. Or dependabot for example.

Not sure if your action was made to cover that use-case, but maybe you would consider to add a feature where certain users are allowed to override the pattern?

Not sure about the wording for the new setting I was thinking about, but I imagined something like that:

- name: Prevent file change
  uses: xalvarez/prevent-file-change-action@v1
  with:
    githubToken: ${{ secrets.GITHUB_TOKEN }}
    pattern: .*.lock
    maintainer: kevinpapst, xalvarez, dependabot

With that setting applied, the 3 users kevinpapst, xalvarez and dependabot would be allowed to pass the pattern rule.

What do you think?

Edit:

Or is there some other way to achieve the same goal with native Github actions features?

P.S: this is not a bug, the label was added automatically.

Answer 1 · 2021-12-02T13:46:04.000Z

Good idea 👍 I can work on that in the weekend or next week

Answer 2 · 2021-12-02T14:13:04.000Z

Thanks for the quick and positive response @xalvarez 😄

In the meantime I tried to use this in my action:

    if: ${{ github.actor != 'kevinpapst' && github.actor != 'dependabot[bot]' }}
    steps:
        - name: Prevent file change
          uses: xalvarez/prevent-file-change-action@v1
          with:
            githubToken: ${{ secrets.GITHUB_TOKEN }}
            pattern: .*.lock

So only running your action if the user is neither me nor dependabot.

That would achieve the same goal, but:

The skipped status will lead to problems when branch protection is activated with Status checks are required. There are workarounds existing, but I believe handling this inside the action is a much cleaner solution.

I can help testing, just give me a ping!

Answer 3 · 2021-12-04T19:57:09.000Z

Hi @kevinpapst, I've just released v1.1.0 including the suggested enhancement. I named the input variable trustedAuthors. If you have time, please try it out 🙂

Answer 4 · 2021-12-04T23:00:36.000Z

Awesome, thank you so much for quickly adding this new feature 👍

I tried a new PR without a changed lock file and it said

Now I have to wait for a user adding or updating an existing PR for the real fun 😁 and will report back for the use-cases I want this action for: making sure that no-one will submit a changed .lock file.

Answer 5 · 2021-12-04T23:02:15.000Z

I'll close this feature request. Thanks again @xalvarez - just shared your great action (which needs much more stars!) on Twitter