Securing workflow_dispatch manual workflow? #26008
-
Hi Is there a way to secure workflow_dispatch workflow? I would like only Maintainers to be able to execute manual workflow (eg Deploy to EBS). |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments
-
You can check who is triggering the workflow: Example here: https://github.com/OWASP/www-project-web-security-testing-guide/blob/53d24199a86ef59888ad8b91d8a173468d862753/.github/workflows/pr_comment.yml#L10 Sadly there isn’t (currently) a way to check if your team or a specific role contains the Edit: There’s also some more details from GitHub staff here: Who can manually trigger a workflow using workflow_dispatch :
|
Beta Was this translation helpful? Give feedback.
-
Thanks @kingthorin!
Is the GH Actions enhancement request something I can add my additional vote too? |
Beta Was this translation helpful? Give feedback.
-
Sadly the form seems to be private (one-off) use: https://support.github.com/contact/feedback |
Beta Was this translation helpful? Give feedback.
-
@noinarisak I just came across this other syntax which is slightly better, but still requires a list of usernames.
|
Beta Was this translation helpful? Give feedback.
You can check who is triggering the workflow:
if: github.actor == 'noinarisak' || github.actor == 'kingthorin'
Example here: https://github.com/OWASP/www-project-web-security-testing-guide/blob/53d24199a86ef59888ad8b91d8a173468d862753/.github/workflows/pr_comment.yml#L10
It’s slightly different, it runs for anyone other than the actors we check, but same basic idea. (
!=
vs==
.)Sadly there isn’t (currently) a way to check if your team or a specific role contains the
github.actor
. I’ve submitted an enhancement request that they add something like@organization/some-team.contains(github.actor)
. Just as I’m writing this reply it occurs to me that something likegithub.actor.role == 'Maintai…