{"id":21982215,"url":"https://github.com/abinnovision/github-workflow-dispatch-proxy","last_synced_at":"2026-03-15T21:54:18.924Z","repository":{"id":236753989,"uuid":"792403915","full_name":"abinnovision/github-workflow-dispatch-proxy","owner":"abinnovision","description":"💥 Authenticated proxy for GitHub Actions' workflow_dispatch event","archived":false,"fork":false,"pushed_at":"2025-02-15T20:32:33.000Z","size":688,"stargazers_count":2,"open_issues_count":5,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-23T21:02:11.010Z","etag":null,"topics":["github-actions","workflow-dispatch"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/abinnovision.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-04-26T15:44:29.000Z","updated_at":"2025-02-15T20:31:29.000Z","dependencies_parsed_at":"2024-12-23T13:27:26.247Z","dependency_job_id":"3e4a6e4d-0392-4ae8-8949-25df1ac83b19","html_url":"https://github.com/abinnovision/github-workflow-dispatch-proxy","commit_stats":null,"previous_names":["abinnovision/github-workflow-dispatch-proxy"],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abinnovision%2Fgithub-workflow-dispatch-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abinnovision%2Fgithub-workflow-dispatch-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abinnovision%2Fgithub-workflow-dispatch-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abinnovision%2Fgithub-workflow-dispatch-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/abinnovision","download_url":"https://codeload.github.com/abinnovision/github-workflow-dispatch-proxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251645989,"owners_count":21620848,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","workflow-dispatch"],"created_at":"2024-11-29T17:23:08.951Z","updated_at":"2026-03-15T21:54:13.874Z","avatar_url":"https://github.com/abinnovision.png","language":"TypeScript","readme":"# github-workflow-dispatch-proxy\n\nProxy for GitHub Actions' `workflow_dispatch` event to allow authenticated\naccess.\nThis can be used to call a workflow dispatch from a GitHub Actions workflow.\n\nIt's based on\nthe [OIDC Connect implementation](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect)\nof GitHub Actions and uses the provided ID token to authenticate the request.\n\n## Installation\n\nThe proxy is distributed as\na Docker Image\non [GitHub Container Registry](https://github.com/abinnovision/github-workflow-dispatch-proxy/pkgs/container/github-workflow-dispatch-proxy)\nand [Docker Hub](https://hub.docker.com/r/abinnovision/github-workflow-dispatch-proxy):\n\n[//]: # \"x-release-please-start-version\"\n\n```bash\ndocker run -d \\\n  --name gwdp \\\n  -p 8080:8080 \\\n  abinnovision/github-workflow-dispatch-proxy:latest\n```\n\n[//]: # \"x-release-please-end\"\n\n**NOTE:** Development builds are only available on GitHub Container Registry.\n\n## Configuration\n\nThe proxy is configured via environment variables.\nThe following environment variables are supported:\n\n| Name                          | Description                                                                          | Default     | Note                                                 |\n| ----------------------------- | ------------------------------------------------------------------------------------ | ----------- | ---------------------------------------------------- |\n| `APP_PORT`                    | Port to listen on.                                                                   | `8080`      |                                                      |\n| `APP_BASE_PATH`               | Base path fo the proxy.                                                              | `/`         |                                                      |\n| `APP_POLICY`                  | Policy to use, either `builtin`, `opa-wasm` or `cel`.                                | `builtin`   |                                                      |\n| `APP_POLICY_TYPE`             | Type of the builtin policy to use, either `allow_all` or `allow_org_wide`.           | `allow_all` |                                                      |\n| `APP_POLICY_CONFIG`           | Config to pass to the policy evaluation. Format: `key=value;key=value`               |             |                                                      |\n| `APP_POLICY_PATH`             | Path to the opa-wasm policy (_.wasm_ file).                                          |             | Only available if `APP_POLICY` is set to `opa-wasm`. |\n| `APP_POLICY_EXPRESSION`       | Express when using CEL.                                                              |             | Only available if `APP_POLICY` is set to `cel`.      |\n| `APP_GH_AUTH_TYPE`            | Type of the GitHub authentication to use, either `app` or `token`.                   |             | **Required**                                         |\n| `APP_GH_AUTH_APP_ID`          | ID of the GitHub App to use for authentication. (Only for `app` auth type.)          |             | Required if `APP_GH_AUTH_TYPE` is `app`.             |\n| `APP_GH_AUTH_APP_PRIVATE_KEY` | Private key of the GitHub App to use for authentication. (Only for `app` auth type.) |             | Required if `APP_GH_AUTH_TYPE` is `app`.             |\n| `APP_GH_AUTH_TOKEN`           | Token to use for authentication. (Only for `token` auth type.)                       |             | Required if `APP_GH_AUTH_TYPE` is `token`.           |\n\n## Policies\n\nPolicies are used to determine whether a request is allowed or not.\n\nThis is implemented using [cross-policy](https://github.com/abinnovision/cross-policy). As of right now,\nthe [opa-wasm target](https://github.com/abinnovision/cross-policy/tree/main/packages/target-opa-wasm)\nand [cel target](https://github.com/abinnovision/cross-policy/tree/main/packages/target-cel) is supported.\n\n### Built-in Policies\n\n#### `allow_all`\n\nThis policy allows all requests.\n\n#### `allow_org_wide`\n\nThis policy allows all requests from within the configured organization.\nIt requires the `organization` configuration to be set on the\n`APP_POLICY_CONFIG` environment variable.\n\n### Open Policy Agent (OPA) WASM Policies\n\nOPA WASM can be used by setting the `APP_POLICY` environment variable\nto `opa-wasm` and providing the path to the policy file via `APP_POLICY_PATH`.\nThe policy file must be a valid WebAssembly file built with\n[Open Policy Agent (OPA)](https://www.openpolicyagent.org/).\n\nTo get started,\nyou can use the [OPA Playground](https://play.openpolicyagent.org/) to write\nyour policy using Rego.\nAlso, see the\nsource [code of the built-in policies for examples](./policies).\n\n[This script](./policies/build.sh) can be used to build the policy file. It can\nbe placed in the folder with many .rego files, and it will build a .wasm file in\nthe same folder for each .rego file.\n\n### Common Expression Language (CEL) Policies\n\nCEL can be used by setting the `APP_POLICY` environment variable\nto `cel` and providing the expression via `APP_POLICY_EXPRESSION`.\n\nCEL is a language for expressing policies in a way that is straightforward to understand and write.\nIt is used by Google in many of its services.\n\nSee the [@cross-policy/target-cel](http://npmjs.com/package/@cross-policy/target-cel) package for further details and\npossible limitations.\n\n#### Example configuration\n\nThis example configuration allows only requests from the owner `abinnovision`.\n\n```\nAPP_POLICY=cel\nAPP_POLICY_EXPRESSION='caller.owner == \"abinnovision\"'\n```\n\n### Input schema for policies\n\nThe input schema for the policy is defined as follows:\n\n```json5\n{\n  // Can be empty if not provided.\n  config: {\n    key: \"value\",\n  },\n  target: {\n    owner: \"owner\",\n    repository: \"repository\",\n    ref: \"ref\",\n    workflow: \"workflow\",\n    // Can be empty if none are required.\n    inputs: {\n      key: \"value\",\n    },\n  },\n  caller: {\n    owner: \"owner\",\n    repository: \"repository\",\n    ref: \"ref\",\n    workflow: \"workflow\",\n  },\n}\n```\n\n## Usage with GitHub Actions\n\nThe main idea of this proxy is to allow GitHub Actions to call a workflow\ndispatch from a workflow by using policy evaluation.\nThat's why the proxy should easily be integrated into a GitHub Actions workflow.\n\n### Example without an additional action\n\nThe proxy can easily be used by using curl.\nFirst, you'd need to fetch the ID token from the GitHub Actions API.\nThen, you can use curl to send the workflow dispatch request to the proxy.\n\n```yaml\njobs:\n  dispatch-workflow:\n    name: Dispatch workflow\n    runs-on: ubuntu-latest\n    steps:\n      - name: Dispatch workflow\n        run: |\n          ID_TOKEN_RESPONSE=$(curl -H \"Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN\" \"$ACTIONS_ID_TOKEN_REQUEST_URL\u0026audience=github-workflow-dispatch-proxy\")\n          ID_TOKEN=$(echo $ID_TOKEN_RESPONSE | jq -r \".value\")\n\n          curl --header \"Content-Type: application/json\" \\\n          --request POST \\\n          --header \"Authorization: Bearer $ID_TOKEN\" \\\n          --data '{\"target\":{\"owner\":\"abinnovision\",\"repo\":\"github-workflow-dispatch-proxy\",\"ref\":\"master\",\"workflow\":\"test.yaml\"},\"inputs\":{}}' \\\n          https://\u003cendpoint\u003e/dispatch\n```\n\n### Example with abinnovision/actions/run-workflow-dispatch\n\nThis example uses the\n[abinnovision/actions@run-workflow-dispatch](https://github.com/abinnovision/actions/blob/master/actions/run-workflow-dispatch/README.md)\naction to run the workflow dispatch.\n\n```yaml\njobs:\n  dispatch-workflow:\n    name: Dispatch workflow\n    runs-on: ubuntu-latest\n    steps:\n      - name: Dispatch workflow\n        uses: abinnovision/actions@run-workflow-dispatch-v1\n        with:\n          proxy: https://\u003cendpoint\u003e # The base URL of the proxy without a trailing slash.\n          target: owner/repo # or just repo\n          workflow: update.yaml # The workflow to dispatch.\n          workflow-ref: master # Optional, defaults to \"master\".\n          # Optional inputs for the workflow. Must be a valid JSON string.\n          workflow-inputs: |\n            {\"key\": \"value\"}\n```\n\n## Development\n\nThis project is based on a Node.js stack with TypeScript. It uses Yarn as the\npackage manager. Also, [asdf](https://asdf-vm.com/) is used to manage the\nNode.js version.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabinnovision%2Fgithub-workflow-dispatch-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fabinnovision%2Fgithub-workflow-dispatch-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabinnovision%2Fgithub-workflow-dispatch-proxy/lists"}