WIP script to update action.yml with permissions based on https://github.com/octokit/app-permissions/blob/main/generated/api.github.com.json

gr2m · gr2m · commit 2804fe1ca096 · 2024-09-05T16:06:45.000-07:00
diff --git a/action.yml b/action.yml
@@ -37,6 +37,48 @@ inputs:
   github-api-url:
     description: The URL of the GitHub REST API.
     default: ${{ github.api_url }}
+  # <START GENERATED PERMISSIONS INPUTS>
+  permission-metadata:
+    description: "Can be set to 'read'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#metadata"
+  permission-actions:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#actions"
+  permission-administration:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#administration"
+  permission-organization-user-blocking:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#organization-user-blocking"
+  permission-checks:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#checks"
+  permission-security-events:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#code-scanning-alerts"
+  permission-statuses:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#commit-statuses"
+  permission-contents:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#contents"
+  permission-vulnerability-alerts:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#dependabot-alerts"
+  permission-deployments:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#deployments"
+  permission-issues:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#issues"
+  permission-members:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#members"
+  permission-organization-administration:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#organization-administration"
+  permission-organization-projects:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#organization-projects"
+  permission-pages:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#pages"
+  permission-pull-requests:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#pull-requests"
+  permission-repository-projects:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#repository-projects"
+  permission-secrets:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#secrets"
+  permission-single-file:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#single-file"
+  permission-team-discussions:
+    description: "Can be set to 'read' or 'write'. Learn more at https://docs.github.com/en/free-pro-team@latest/rest/reference/permissions-required-for-github-apps/#team-discussions"
+  # <END GENERATED PERMISSIONS INPUTS>
 outputs:
   token:
     description: "GitHub installation access token"
diff --git a/scripts/update-permission-inputs.js b/scripts/update-permission-inputs.js
@@ -0,0 +1,44 @@
+import { readFile, writeFile } from "node:fs/promises";
+
+import { request } from "@octokit/request";
+
+const { data: permissionsSchemaString } = await request(
+  "GET /repos/{owner}/{repo}/contents/{path}",
+  {
+    owner: "octokit",
+    repo: "app-permissions",
+    path: "generated/api.github.com.json",
+    mediaType: {
+      format: "raw",
+    },
+    headers: {
+      authorization: `token ${process.env.GITHUB_TOKEN}`,
+    },
+  },
+);
+
+const permissionsSchema = JSON.parse(permissionsSchemaString);
+
+const permissionsInputs = Object.entries(permissionsSchema.permissions).reduce(
+  (result, [key, value]) => {
+    const supportsWrite = value.write.length > 0;
+    const description = supportsWrite
+      ? `Can be set to 'read' or 'write'. Learn more at ${value.url}`
+      : `Can be set to 'read'. Learn more at ${value.url}`;
+    return `${result}
+  permission-${key.replace(/_/g, "-")}:
+    description: "${description}"`;
+  },
+  "",
+);
+
+const actionsYamlContent = await readFile("action.yml", "utf8");
+
+// In the action.yml file, replace the content between the `<START GENERATED PERMISSIONS INPUTS>` and `<END GENERATED PERMISSIONS INPUTS>` comments with the new content
+const updatedActionsYamlContent = actionsYamlContent.replace(
+  /(?<=# <START GENERATED PERMISSIONS INPUTS>)(.|\n)*(?=# <END GENERATED PERMISSIONS INPUTS>)/,
+  permissionsInputs + "\n  ",
+);
+
+await writeFile("action.yml", updatedActionsYamlContent, "utf8");
+console.log("Updated action.yml with new permissions inputs");
