forked from HKUDS/OpenSpace
-
Notifications
You must be signed in to change notification settings - Fork 0
122 lines (110 loc) · 4.44 KB
/
Copy pathbypass-audit.yml
File metadata and controls
122 lines (110 loc) · 4.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# ============================================================================
# Emergency Bypass Audit — Track and report all enforcement overrides
# ============================================================================
#
# Fires when the `emergency:bypass` label is added or removed.
# Creates a persistent audit record as a repo issue with the `audit` label.
# Also removes the bypass label after merge to prevent re-use.
name: Bypass Audit Trail
on:
pull_request:
types: [closed, labeled]
branches: [main]
permissions:
contents: read
issues: write
pull-requests: write
jobs:
# Record when bypass label is applied
audit-bypass-applied:
if: >
github.event.action == 'labeled' &&
github.event.label.name == 'emergency:bypass'
runs-on: ubuntu-latest
steps:
- name: Record bypass activation
uses: actions/github-script@v7
with:
script: |
const pr = context.payload.pull_request;
const actor = context.actor;
// Extract bypass reason from PR body
const body = pr.body || '';
const reasonIdx = body.indexOf('## ⚠️ Bypass Reason');
let reason = '(No reason provided)';
if (reasonIdx !== -1) {
reason = body.slice(reasonIdx + '## ⚠️ Bypass Reason'.length).trim().split('\n')[0];
}
// Create audit issue
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `🔓 Bypass Activated: PR #${pr.number} by @${actor}`,
body: [
`## Emergency Bypass Audit Record`,
``,
`| Field | Value |`,
`|-------|-------|`,
`| **PR** | #${pr.number} |`,
`| **Title** | ${pr.title} |`,
`| **Actor** | @${actor} |`,
`| **Timestamp** | ${new Date().toISOString()} |`,
`| **Reason** | ${reason} |`,
`| **PR Labels** | ${pr.labels.map(l => '`' + l.name + '`').join(', ')} |`,
``,
`> This record was auto-generated by the bypass audit system.`,
`> Bypass records are permanent and cannot be deleted.`,
].join('\n'),
labels: ['audit', 'emergency:bypass'],
});
core.info(`📝 Audit record created for bypass on PR #${pr.number}`);
# Clean up bypass label after merge + create completion record
audit-bypass-merged:
if: >
github.event.action == 'closed' &&
github.event.pull_request.merged == true &&
contains(github.event.pull_request.labels.*.name, 'emergency:bypass')
runs-on: ubuntu-latest
steps:
- name: Record bypass merge and clean up
uses: actions/github-script@v7
with:
script: |
const pr = context.payload.pull_request;
// Remove the bypass label so it can't be re-used if PR is reopened
try {
await github.rest.issues.removeLabel({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
name: 'emergency:bypass',
});
core.info('Removed emergency:bypass label from merged PR');
} catch (err) {
core.warning(`Could not remove bypass label: ${err.message}`);
}
// Find the audit issue for this PR and add merge note
const auditIssues = await github.rest.issues.listForRepo({
owner: context.repo.owner,
repo: context.repo.repo,
labels: 'audit,emergency:bypass',
state: 'open',
});
const auditIssue = auditIssues.data.find(i =>
i.title.includes(`PR #${pr.number}`)
);
if (auditIssue) {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: auditIssue.number,
body: [
`## ✅ Bypass Merge Complete`,
``,
`PR #${pr.number} was merged at ${new Date().toISOString()}.`,
`Merge commit: ${pr.merge_commit_sha}`,
``,
`This audit record will remain open for 30-day review.`,
].join('\n'),
});
}