{"id":15988235,"url":"https://github.com/dbanty/graphql-check-action","last_synced_at":"2025-03-17T20:30:22.313Z","repository":{"id":105834811,"uuid":"594562278","full_name":"dbanty/graphql-check-action","owner":"dbanty","description":"This action checks your GraphQL server health after deployment.","archived":false,"fork":false,"pushed_at":"2024-04-29T03:22:50.000Z","size":210,"stargazers_count":4,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-05-02T02:26:28.093Z","etag":null,"topics":["actions","graphql","rust"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dbanty.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-28T23:23:51.000Z","updated_at":"2024-05-03T16:09:25.585Z","dependencies_parsed_at":"2023-10-15T10:57:39.287Z","dependency_job_id":"b686dd7c-fdec-4d88-a92a-3264a32062b0","html_url":"https://github.com/dbanty/graphql-check-action","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dbanty%2Fgraphql-check-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dbanty%2Fgraphql-check-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dbanty%2Fgraphql-check-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dbanty%2Fgraphql-check-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dbanty","download_url":"https://codeload.github.com/dbanty/graphql-check-action/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243878483,"owners_count":20362433,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","graphql","rust"],"created_at":"2024-10-08T04:02:15.569Z","updated_at":"2025-03-17T20:30:21.897Z","avatar_url":"https://github.com/dbanty.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GraphQL Check\n\nThis action checks your GraphQL server health after deployment. Specifically, it will check:\n\n1. The endpoint is reachable\n2. Introspection is disabled (for non-federated graphs)\n3. Authentication is required to make _any_ query\n4. If this is a [federation subgraph], the subgraph contains required Federation elements\n\n### Inputs\n\n| Name                  | Description                                                                                                                          | Default             |\n|-----------------------|--------------------------------------------------------------------------------------------------------------------------------------|---------------------|\n| `endpoint`            | The full URL, including scheme (e.g., `https://`) of the GraphQL endpoint                                                            | None                |\n| `auth`                | The full header to be included. Providing a value enables the \"authentication required\" check                                        | None                |\n| `subgraph`            | Whether the endpoint is expected to be a [Federation subgraph]                                                                       | `false`             |\n| `allow_introspection` | Whether the GraphQL server should have introspection enabled. This [should be disabled for non-subgraphs][introspection explanation] | value of `subgraph` |\n| `insecure_subgraph`   | Whether it is acceptable for your `auth` to be empty when `subgraph` is `true`. You generally [don't want this][subgraph security]   | `false`             |\n| `token`               | The GitHub token to use for GitHub API calls. May be needed if using this action very frequently.                                    | Workflow token      | \n\n## Tests\n\nHere are all the tests that will run, and the config values that affect them.\n\n### Endpoint reachable\n\nThis action will always fail if making an HTTP POST request to the provided endpoint fails. The request will contain this query:\n\n```graphql\nquery {\n    __typename\n}\n```\n\nIt expects this response:\n\n```json\n{\n  \"data\": {\n    \"__typename\": \"Query\"\n  }\n}\n```\n\nIf the `auth` parameter is provided, that header will be included in the request.\n\n### Introspection disabled\n\nGenerally speaking, [introspection should be disabled for non-subgraphs][introspection explanation]. As such, by default this action will fail if the graph is not a [federated subgraph] (checked dynamically) and the server responds with some content to the following query:\n\n```graphql\nquery {\n    __schema {\n        types {\n            name\n        }\n    }\n}\n```\n\nIf `__schema` in the response is `null`, this action will pass. You can bypass this check by setting `allow_introspection` to `true`.\n\n### Authentication enforced\n\nIf the `auth` input is provided, this action will fail if the GraphQL server responds successfully **any** query without the provided authentication. If the GraphQL server response with a non-200 status code _or_ a GraphQL error, this action will pass.\n\nIf subgraph features are detected (by running the \"Subgraph compatibility\" check), but `auth` is not provided, this check will still fail, as an insecure subgraph is [usually a mistake][subgraph security]. If you need a public, insecure subgraph, you can provide the input `insecure_subgraph: true`.\n\n### Subgraph compatibility\n\nIf the `subgraph` input is set to `true`, this action will require that the endpoint is a [federation subgraph]. Specifically, it must return something for `sdl` in this query:\n\n```graphql\nquery {\n    _service {\n        sdl\n    }\n}\n```\n\n## Examples\n\n### Standard GraphQL Server\n\nIntrospection is disabled and authentication is required for all operations.\n\n```yaml\nname: Deploy\non:\n  push:\n    branches:\n      - main\njobs:\n  deploy:\n    steps:\n      - name: Deploy your server\n      - name: Wait for deploy to finish\n  check_graphql:\n    runs-on: ubuntu-latest\n    needs: deploy\n    steps:\n      - uses: actions/checkout@v3\n      - uses: dbanty/graphql-check-action@v2.0.0\n        with:\n          endpoint: ${{ vars.PRODUCTION_ENDPOINT }}\n          auth: \"Authorization: Bearer ${{ secrets.TEST_TOKEN }}\"\n```\n\n### Public GraphQL Server\n\nWhile authentication may be required for operations, anyone is allowed to introspect the server and start building queries.\n\n```yaml\nname: Deploy\non:\n  push:\n    branches:\n      - main\njobs:\n  deploy:\n    steps:\n      - name: Deploy your server\n      - name: Wait for deploy to finish\n  check_graphql:\n    runs-on: ubuntu-latest\n    needs: deploy\n    steps:\n      - uses: actions/checkout@v3\n      - uses: dbanty/graphql-check-action@v2.0.0\n        with:\n          endpoint: ${{ vars.PRODUCTION_ENDPOINT }}\n          allow_introspection: true\n```\n\n### Federated subgraph\n\nThis is the recommended setup for a federated subgraph which, generally speaking, should not be accessible to anything except the router.\n\n```yaml\nname: Deploy\non:\n  push:\n    branches:\n      - main\njobs:\n  deploy:\n    steps:\n      - name: Deploy your server\n      - name: Wait for deploy to finish\n  check_graphql:\n    runs-on: ubuntu-latest\n    needs: deploy\n    steps:\n      - uses: actions/checkout@v3\n      - uses: dbanty/graphql-check-action@v2.0.0\n        with:\n          endpoint: ${{ vars.PRODUCTION_ENDPOINT }}\n          auth: \"Gateway-Authorization: Bearer ${{ secrets.AUTH_TOKEN }}\"\n          subgraph: true\n```\n\n[federation subgraph]: https://www.apollographql.com/docs/federation/building-supergraphs/subgraphs-overview#subgraph-specific-fields\n[introspection explanation]: https://www.apollographql.com/blog/graphql/security/why-you-should-disable-graphql-introspection-in-production/#what-is-it\n[subgraph security]: https://www.apollographql.com/docs/technotes/TN0021-graph-security/#only-allow-the-router-to-query-subgraphs-directly\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdbanty%2Fgraphql-check-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdbanty%2Fgraphql-check-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdbanty%2Fgraphql-check-action/lists"}