actions-allow-list.yml

name: 🚀🔐 Deploy Actions allow list 

on:
  push:
    branches: [main]
    paths:
      - github-actions-allow-list.yml
      - .github/workflows/actions-allow-list.yml
  pull_request:
    branches: [ main ]
  workflow_dispatch:

jobs:
  run:
    runs-on: ubuntu-latest

    permissions: read-all

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - uses: actions/create-github-app-token@v2
        id: app-token
        with:
          app-id: ${{ vars.APP_ID }}
          private-key: ${{ secrets.PRIVATE_KEY }}
          owner: ${{ github.repository_owner }}

      - name: validate yml
        run: |
          if yq eval github-actions-allow-list.yml; then
            echo "Actions YML is valid"
          else
            echo "Actions YML validation failed"
            exit 1
          fi

      # if using Enterprise, use the `/enterprises/<enterprise-slug>` endpoint
      # and PAT - can't use GitHub app at Enterprise at Enterprise level
      - name: Enable Actions Policy in Org
        if: github.event_name != 'pull_request'
        env:
          GH_TOKEN: ${{ steps.app-token.outputs.token }}
        run: |
          gh api -X PUT /orgs/${{ github.repository_owner }}/actions/permissions \
            -f enabled_repositories='all' \
            -f allowed_actions='selected'

          gh api -X PUT /orgs/${{ github.repository_owner }}/actions/permissions/selected-actions \
            -F github_owned_allowed=true \
            -F verified_allowed=true

      - name: Deploy GitHub Actions allow list
        if: github.event_name != 'pull_request'
        uses: ActionsDesk/github-actions-allow-list-as-code-action@013d3b0b014f3a7656c5b0a28c00fe8c7e41b5e3 # v3.1.0
        with:
          token: ${{ steps.app-token.outputs.token }}
          organization: ${{ github.repository_owner }}
          allow_list_path: github-actions-allow-list.yml