https://github.com/geritol/write-guard

Github Action to enforce file level write access for monorepos
https://github.com/geritol/write-guard

access-control github-actions monorepos security

Last synced: 3 months ago
JSON representation

Github Action to enforce file level write access for monorepos

• Host: GitHub
• URL: https://github.com/geritol/write-guard
• Owner: geritol
• License: mit
• Created: 2020-06-21T14:14:52.000Z (over 4 years ago)
• Default Branch: master
• Last Pushed: 2023-03-05T04:09:34.000Z (almost 2 years ago)
• Last Synced: 2024-09-28T12:01:53.190Z (4 months ago)
• Topics: access-control, github-actions, monorepos, security
• Language: TypeScript
• Homepage:
• Size: 977 KB
• Stars: 9
• Watchers: 3
• Forks: 2
• Open Issues: 4
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

• awesome-monorepo - Write Guard

README

        
![Node.js CI](https://github.com/geritol/write-guard/workflows/Node.js%20CI/badge.svg)

[![codecov](https://codecov.io/gh/geritol/write-guard/branch/master/graph/badge.svg)](https://codecov.io/gh/geritol/write-guard)

# Write-guard

Enforce file level write access for monorepos

## Usage

Write-guard is designed to enforce file level write access for monorepos that have protected default branches (usually `main` or `master`) with

- Restrict push enabled

- Require status checks to pass before merging

  enabled.

:warning: If these are not enforced, file level write access cannot be enforced by write-guard.

### Setup

you will need to define a `write-guard.yaml` in the root of your repository, eg.:

```yaml

roles:

  - edit-all:

    - team/admins

    - permission/admin

    - user/geritol

access:

  **:

    - role/edit-all

  security/**:

    - team/security

```

You need to run `write-guard` on your pull requests eg.:

```yaml

# .github/workflows/write-guard.yaml

name: Pull Request

on:

  pull_request:

    branches: [master]

jobs:

  write-guard:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v2

        with:

          ref: master # Important!

          # write-guard needs to run on your master branch to prevent

          # the possibility of pr openers self grant edit permissions

          #

          # the action will retrieve files changed in the current pr

          # and validate write access based on the master branches

          # write-guard.yaml

      - name: write-guard

        uses: geritol/[email protected]

        env:

          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

```