{"id":17609695,"url":"https://github.com/bitoiu/repo-visibility-alert-action","last_synced_at":"2025-04-30T13:52:53.970Z","repository":{"id":48020915,"uuid":"171680597","full_name":"bitoiu/repo-visibility-alert-action","owner":"bitoiu","description":"Action that alerts org owners of a repository made public. See upcoming `repo-visibility-toggle-sms-action` to toggle it back via SMS reply.","archived":false,"fork":false,"pushed_at":"2022-12-08T14:20:29.000Z","size":95,"stargazers_count":16,"open_issues_count":8,"forks_count":4,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-04-15T00:05:50.880Z","etag":null,"topics":["devsecops","github","github-actions","security","security-tools","twilio","twilio-sms-api"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bitoiu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-02-20T13:43:55.000Z","updated_at":"2023-11-30T03:58:04.000Z","dependencies_parsed_at":"2023-01-11T17:23:04.000Z","dependency_job_id":null,"html_url":"https://github.com/bitoiu/repo-visibility-alert-action","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitoiu%2Frepo-visibility-alert-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitoiu%2Frepo-visibility-alert-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitoiu%2Frepo-visibility-alert-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bitoiu%2Frepo-visibility-alert-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bitoiu","download_url":"https://codeload.github.com/bitoiu/repo-visibility-alert-action/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221117211,"owners_count":16759141,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devsecops","github","github-actions","security","security-tools","twilio","twilio-sms-api"],"created_at":"2024-10-22T17:09:46.024Z","updated_at":"2024-10-22T17:09:48.688Z","avatar_url":"https://github.com/bitoiu.png","language":"JavaScript","funding_links":[],"categories":["JavaScript"],"sub_categories":[],"readme":"## repo-visibility-alert-action\n\nThis GitHub Action can be installed in organizations repositories and it will notify the owners via SMS when a repository changes from private to public visibility. This GitHub Action can be configured to just notify the organization owners or it can be configured to work in conjunction with its sibling Action that will allow for users to reply to the SMS to set the repository back to private. You can choose which mode it runs on. \n\n![example](https://user-images.githubusercontent.com/33058359/53344570-e40ca180-390a-11e9-81fd-41f80826a2ae.png)\n\nšŸš§ The sibling Action that allows for SMS replies is under development šŸš§ \n\n## Pre-requisites\n\nTo run this action you'll need:\n - To be part of the [Actions beta](https://github.com/features/actions). \n - A [Twillio Account and correspondent `account_sid` and `auth_token`](https://www.twilio.com/docs/usage/your-request-to-twilio#credentials). To test this Action you can setup a trial Twilio account.\n - You need to [create a new project on Twilio](https://www.twilio.com/console/projects/create) to view these. However, you do not need to actually select a pre-made template or product.\n - `account_sid` and `auth_token` are accessible via one of your [Project settings](https://www.twilio.com/console/project/settings) or on one of your [console dashboard views](https://www.twilio.com/console).\n - **A text file hosted anywhere** with the list of target owners and their phone numbers. I personally use [GitHub Gists](https://gist.github.com) and get the link of the raw file. Just note that edits to file in Gists change the raw file URL.\n - A [GitHub Personal Access Token](https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) with scope `read:org` from a user who's at least a member of the organization, but ideally an owner.\n - **Note:** This should ideally be a [bot user account](https://developer.github.com/v3/guides/managing-deploy-keys/#machine-users) so that it is not tied to an actual user in the event that person leaves the company and that key belongs to them.\n \n## How does it work\n\n**This action only works for organization repositories.**\n\nAssuming all the credentials are in place the logic of this Action is quite simple. It fetches a list of `owner:phone_number` from a file and checks of those listed who are currently organization owners. This is to prevent a situation where an outdated address book would notify non-organization owners or even worse, members that have left the organization. It then proceeds to send an SMS via Twilio everytime a reposisory is made public with information about the repository name and the user responsible for the event. \n\nThis Action itself was designed to be the first part of a pair of Actions that allow for notification and reaction. The second part of this process is an action that is triggered via the Twilio API everytime an owner responds to the first text instructing the repository to be made private again. \n\n## Setup\n\n### 1. Create the release workflow\n\nAdd a new workflow to your `.github/main.workflow` to trigger on `public`. Give it a name representative of our goals here, so something like `Public Repo SMS Alert`:\n\n![new-workflow](https://user-images.githubusercontent.com/33058359/53343917-5c726300-3909-11e9-9a0b-a35ef810b908.png)\n\n### 2. Configure the Action\n\nCreate an action that uses this repository `bitoiu/repo-visibility-alert-action@master` or points to Docker Hub at `docker://bitoiu/repo-visibility-alert-action`. Follow that by configuring the secrets and environment variables:\n\n**Required**:\n - `GH_TOKEN`: a [GitHub Personal Access Token](https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) with scope `read:org`\n - `NUMBERS`: URL pointing to a public hosted file where every line is in the form of `owner_handle:phone-number`, for example `bitoiu:+447535223145`.\n - `ACCOUNT_SID`: The [Twilio account ID](https://www.twilio.com/docs/usage/your-request-to-twilio#credentials)\n - `AUTH_TOKEN`: The [Twilio auth token](https://www.twilio.com/docs/usage/your-request-to-twilio#credentials)\n\n**Optional**:\n - `NOTIFY_ONLY`: default is unset. Setting it to `true` changes the text message to simply notifying the users instead of also prompting them to reply.\n - `LOG_LEVEL`: default is `info`. Can be set to `trace` to check payloads from the GitHub API calls. \n\n_Note:In case you're wondering why the `env.template` file has more variables than the ones listed above, those are for [local testing purposes](#local-testing), since those variables get set by the GitHub Actions run time._\n\n![action-configuration](https://user-images.githubusercontent.com/33058359/53345740-7f067b00-390d-11e9-8c14-96047ccfca67.png)\n\n\n### 3. Save (commit) the workflow\n\nMake sure you commit all pending changes. After you've done that your `main.workflow` should look similar to this:\n\n```\nworkflow \"Public Repo SMS Alert\" {\n on = \"public\"\n resolves = [\"SMS Alert\"]\n}\n\naction \"SMS Alert\" {\n uses = \"bitoiu/repo-visibility-alert-action@master\"\n secrets = [\"ACCOUNT_SID\", \"AUTH_TOKEN\", \"NUMBERS\", \"GH_TOKEN\"]\n env = {\n LOG_LEVEL = \"trace\"\n NOTIFY_ONLY = \"true\"\n }\n}\n```\n\n### 6. Testing the workflow!\n\nIn order to validate all the settings you can either [test them locally](#local-testing) or setup a test repository; I would suggest the later. Simply toggle the repository from private to public and as long as there's phone numbers listed in the file and the users match current organization owners, the messages will should go through. \n\n## Local testing\n\nThe main script that does the heavy lifting is a NodeJS file. As such you can simply test it like any other node program. Note that to test this Action locally, you'll need to manually set the rest of the environment variables that are provided at runtime like `GITHUB_EVENT_PATH` or `GITHUB_REPOSITORY`, for example, run the following on the repository root: \n\n```bash\nGITHUB_REPOSITORY=\"YouTestOrg/YourRestRepo\" GH_TOKEN=\"\" NUMBERS=\"\" ACCOUNT_SID=\"\" AUTH_TOKEN=\"\" LOG_LEVEL=\"trace\" GITHUB_EVENT_PATH=\"src/sample-payload.json\" NOTIFY_ONLY=\"true\" node src/notify.js\n```\n\nIf you prefer to test the container directly (which is a tiny bit slower but more reliable) you just need to create a copy of `env.template` named `env`, fill the unset variables and run:\n\n```\ndocker build -t release . \u0026\u0026 docker run --env-file=./env release\n```\n\n## Pull Requests and Issues are Welcome\n\nWould you want support for multiple adaptors dealing with different SMS or E-mail providers? Do you know how to add emojis to the Twilio messages? Pull Requests are open for business :octocat::heart:\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitoiu%2Frepo-visibility-alert-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbitoiu%2Frepo-visibility-alert-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbitoiu%2Frepo-visibility-alert-action/lists"}