Securing workflow_dispatch manual workflow?

Hi

Is there a way to secure workflow_dispatch workflow? I would like only Maintainers to be able to execute manual workflow (eg Deploy to EBS).

You can check who is triggering the workflow:
if: github.actor == 'noinarisak' || github.actor == 'kingthorin'

Example here: https://github.com/OWASP/www-project-web-security-testing-guide/blob/53d24199a86ef59888ad8b91d8a173468d862753/.github/workflows/pr_comment.yml#L10
It’s slightly different, it runs for anyone other than the actors we check, but same basic idea. (!= vs ==.)

Sadly there isn’t (currently) a way to check if your team or a specific role contains the github.actor. I’ve submitted an enhancement request that they add something like @organization/some-team.contains(github.actor). Just as I’m writing this reply it occurs to me that something like github.actor.role == 'Maintainer' might also be handy.

Edit: There’s also some more details from GitHub staff here: Who can manually trigger a workflow using workflow_dispatch :

To trigger a workflow in a repository, the user should be a collaborator with Write permission in the repository. Normally the external users can’t trigger workflows in the repository.
If the external users use a pull request to trigger workflow from the forked repository, the GITHUB_TOKEN only has read permissions for some scope.

Thanks @kingthorin!

if: github.actor = ... example will have to work for now. Your enhancement request would be ideal (eg @organization/some-team.contains(github.actor)), especially because I have to address onboarding and offboarding members and its pain to keep updating the yaml every time. 1. The list of members is just an eyesore and leaves a lot of room for errors. :sweat_smile:

Is the GH Actions enhancement request something I can add my additional vote too?

Sadly the form seems to be private (one-off) use: https://support.github.com/contact/feedback

@noinarisak I just came across this other syntax which is slightly better, but still requires a list of usernames.

 if: contains('["kingthorin","noinarisak"]', github.actor)

Ref: [GitHub Actions] branch conditional