Automate GitHub Actions allow list for GitHub Enterprise accounts

name: Deploy GitHub Actions allow list on: push: branches: [main] paths: [github-actions-allow-list.yml] jobs: deploy: runs-on: ubuntu-latest permissions: read-all steps: - name: Checkout uses: actions/checkout@v5.0.0 - name: Deploy GitHub Actions allow list uses: ActionsDesk/github-actions-allow-list-as-code-action@v3.0.0 with: token: ${{ secrets.ENTERPRISE_ADMIN_TOKEN }} enterprise: 'your-enterprise' # same as defined under `on.pull_requests.paths` allow_list_path: github-actions-allow-list.yml

ℹ️ Notes for providing enterprise or organization:

• Either provide enterprise to update the GitHub Enterprise Cloud's actions allow list, or organization to update a single organization's allow list.
• Providing both will result in the action run failing with Please provide only one of: enterprise, organization.
• If providing organization, but the allow list is handled via GitHub Enterprise Cloud's actions allow list, the action run will fail with Selected actions are already set at the enterprise level.

Example content for Allow List file containing actions: key and list with two allowed actions with specific versions, one wildcard entry for an entire org, and one wildcard entry for all versions of a specific action:

actions: - actionsdesk/github-actions-allow-list-as-code-action@v3.0.0 - hashicorp/vault-action@v2.7.4 - aquasecurity/tfsec-sarif-action@* - azure/*

To run locally, set the following environment variables, compile with ncc, and run with node:

export GITHUB_WORKSPACE=$(pwd) export INPUT_ALLOW_LIST_PATH=allowlist.yml export INPUT_ORGANIZATION=my-org # use INPUT_ENTERPRISE for enterprise export INPUT_TOKEN=ghp_abcdefg npm run build node dist/index.js

• MIT License