-
Notifications
You must be signed in to change notification settings - Fork 7
173 lines (151 loc) · 10.4 KB
/
bad-ci-test-GITHUB_TOKEN.yml
File metadata and controls
173 lines (151 loc) · 10.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
###############################################################################################
###############################################################################################
## ##
## ██████╗ █████╗ ██████╗ ████████╗███████╗███████╗████████╗ ##
## ██╔══██╗██╔══██╗██╔══██╗ ╚══██╔══╝██╔════╝██╔════╝╚══██╔══╝ ##
## ██████╔╝███████║██║ ██║ ██║ █████╗ ███████╗ ██║ ##
## ██╔══██╗██╔══██║██║ ██║ ██║ ██╔══╝ ╚════██║ ██║ ##
## ██████╔╝██║ ██║██████╔╝ ██║ ███████╗███████║ ██║ ##
## ╚═════╝ ╚═╝ ╚═╝╚═════╝ ╚═╝ ╚══════╝╚══════╝ ╚═╝ ##
## ##
###############################################################################################
###############################################################################################
## ##
## ⚠️ WARNING: THIS WORKFLOW IS INTENTIONALLY BROKEN FOR TESTING PURPOSES ⚠️ ##
## ##
## DO NOT USE THIS AS A TEMPLATE FOR YOUR OWN WORKFLOWS! ##
## ##
## This workflow uses the built-in GITHUB_TOKEN which DOES NOT have permissions ##
## to access the secret-scanning API. It will fail with permission errors. ##
## ##
## The purpose of this workflow is to: ##
## 1. Test error handling when insufficient permissions are provided ##
## 2. Verify debug output shows token scopes correctly ##
## 3. Ensure the action fails gracefully with helpful error messages ##
## ##
## CORRECT USAGE requires a PAT or GitHub App token with: ##
## - Classic PAT: 'repo' scope (or 'public_repo' + 'security_events' for public repos) ##
## - Fine-grained PAT: 'secret_scanning_alerts:read' + 'pull_requests:write' ##
## ##
## See README.md for proper configuration instructions. ##
## ##
###############################################################################################
###############################################################################################
name: '❌ BAD TEST - DO NOT COPY - Uses GITHUB_TOKEN (will fail)'
on:
pull_request:
types: [opened, synchronize, reopened]
workflow_dispatch: # Allow manual trigger for testing
jobs:
###############################################################################################
# THIS JOB WILL FAIL - GITHUB_TOKEN CANNOT ACCESS SECRET SCANNING API
###############################################################################################
bad-secret-scanning-review:
name: '❌ BAD: Secret Scan with GITHUB_TOKEN (WILL FAIL)'
runs-on: ubuntu-latest
environment: bad test
# Even with all these permissions, GITHUB_TOKEN still cannot access secret-scanning API!
# The secret-scanning API requires a PAT or GitHub App token.
permissions:
contents: read
pull-requests: write
security-events: read # This does NOT grant secret-scanning access!
steps:
- name: '📥 Checkout repository'
uses: actions/checkout@v6
- name: '⚠️ WARNING - This is a bad test'
run: |
echo "::warning::This workflow intentionally uses GITHUB_TOKEN which lacks secret-scanning permissions"
echo "::warning::Expected behavior: The action should fail with a permission error"
echo "::warning::This tests the error handling and debug output of the action"
#######################################################################################
# THIS STEP WILL FAIL because GITHUB_TOKEN cannot access /secret-scanning/alerts API
#######################################################################################
- name: '❌ Secret Scanning Review with GITHUB_TOKEN (EXPECTED TO FAIL)'
id: github-token-test
continue-on-error: true
uses: ./
with:
# ⚠️ BAD: Using GITHUB_TOKEN - this WILL NOT work!
# The secret-scanning API requires a PAT with 'repo' scope or a GitHub App token
# with 'secret_scanning_alerts:read' permission.
#
# GITHUB_TOKEN does not have access to the secret-scanning API regardless of
# what permissions are set in the workflow's 'permissions' block.
token: ${{ secrets.GITHUB_TOKEN }}
fail-on-alert: false # Doesn't matter - will fail before this is evaluated
runtime: 'powershell'
#######################################################################################
# THIS STEP WILL ALSO FAIL because the PAT has no permissions
#######################################################################################
- name: '❌ Secret Scanning Review with No-Permission PAT (EXPECTED TO FAIL)'
id: no-permission-pat-test
continue-on-error: true
uses: ./
with:
# ⚠️ BAD: Using a PAT with no permissions - this WILL NOT work!
# The secret-scanning API requires a PAT with 'repo' scope or
# 'secret_scanning_alerts:read' permission for fine-grained PATs.
token: ${{ secrets.PAT_NO_PERMISSIONS }}
fail-on-alert: false # Doesn't matter - will fail before this is evaluated
runtime: 'powershell'
#######################################################################################
# THIS STEP WILL ALSO FAIL because the PAT has permissions but not secret scanning
#######################################################################################
- name: '❌ Secret Scanning Review with PAT Missing Secret Scanning (EXPECTED TO FAIL)'
id: no-secret-scanning-pat-test
continue-on-error: true
uses: ./
with:
# ⚠️ BAD: Using a PAT that has some permissions but NOT secret scanning access!
# This PAT might have 'read:org' or other scopes, but without 'repo' scope
# it cannot access the secret-scanning API.
token: ${{ secrets.SSRA_GITHUB_PAT_NO_SECRET_PERMISSIONS }}
fail-on-alert: false # Doesn't matter - will fail before this is evaluated
runtime: 'powershell'
#######################################################################################
# THIS STEP WILL ALSO FAIL - Classic PAT without repo scope
#######################################################################################
- name: '❌ Secret Scanning Review with Classic PAT Missing Repo Scope (EXPECTED TO FAIL)'
id: classic-pat-test
continue-on-error: true
uses: ./
with:
# ⚠️ BAD: Using a classic PAT that has some scopes but NOT 'repo' scope!
# Classic PATs need 'repo' scope for secret scanning access.
# This test verifies the OAuth scopes are displayed in the error output.
token: ${{ secrets.SSRA_GITHUB_PAT_CLASSIC_NO_SECRET_PERMISSIONS }}
fail-on-alert: false # Doesn't matter - will fail before this is evaluated
runtime: 'powershell'
#######################################################################################
# Verify all tests failed as expected - if any succeeded, something is wrong!
#######################################################################################
- name: '✅ Verify all tests failed as expected'
run: |
echo "Checking test outcomes..."
echo "GITHUB_TOKEN test: ${{ steps.github-token-test.outcome }}"
echo "No-permission PAT test: ${{ steps.no-permission-pat-test.outcome }}"
echo "No secret scanning PAT test: ${{ steps.no-secret-scanning-pat-test.outcome }}"
echo "Classic PAT test: ${{ steps.classic-pat-test.outcome }}"
FAILED=0
if [ "${{ steps.github-token-test.outcome }}" != "failure" ]; then
echo "::error::GITHUB_TOKEN test should have failed but got: ${{ steps.github-token-test.outcome }}"
FAILED=1
fi
if [ "${{ steps.no-permission-pat-test.outcome }}" != "failure" ]; then
echo "::error::No-permission PAT test should have failed but got: ${{ steps.no-permission-pat-test.outcome }}"
FAILED=1
fi
if [ "${{ steps.no-secret-scanning-pat-test.outcome }}" != "failure" ]; then
echo "::error::No secret scanning PAT test should have failed but got: ${{ steps.no-secret-scanning-pat-test.outcome }}"
FAILED=1
fi
if [ "${{ steps.classic-pat-test.outcome }}" != "failure" ]; then
echo "::error::Classic PAT test should have failed but got: ${{ steps.classic-pat-test.outcome }}"
FAILED=1
fi
if [ $FAILED -eq 1 ]; then
echo "::error::One or more tests did not fail as expected!"
exit 1
fi
echo "✅ All tests failed as expected - error handling is working correctly!"