Add Access Control to Dispatchable Workflows

.github/actions/validate-actor/action.yaml

@@ -0,0 +1,28 @@
+name: Validate Access
+description: 'Check if the workflow is triggered by an admin user'
+
+# This callable workflow checks if the workflow is triggered by
+# a code owner or an image maintainer by testing the github.actor
+# variable against the CODEOWNERS file and the contacts.yaml file
+# under oci/* path
+
+inputs:
+  admin-only:
+    description: 'The protected workflow should only be triggered as a code owner or an image maintainer'
+    required: true
+    default: 'false'
+  image-path:
+    description: 'The path to the image to be built'
+    required: true
+  github-token:
+    description: 'The GITHUB_TOKEN for the GitHub CLI'
+    required: true
+
+runs:
+  using: "composite" 
+  steps:
+    - name: Check if the workflow is triggered by an admin user
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.github-token }}
+      run: ./.github/actions/validate-actor/validate-actor.sh ${{ github.actor }} ${{ inputs.admin-only }} ${{ github.workspace }}  ${{ inputs.image-path }}

.github/actions/validate-actor/test-validate-actor.bats

@@ -0,0 +1,46 @@
+#!/usr/bin/env bats
+
+SOURCE_DIR=$(dirname -- "${BASH_SOURCE[0]}")
+
+setup() {
+  workdir=$(mktemp -d)
+  mkdir -p $workdir/img
+  echo -n "*       @code-owner" > $workdir/CODEOWNERS
+  echo -e "maintainers:\n  - maintainer" > $workdir/img/contacts.yaml
+}
+
+@test "blocks non-code-owner-non-maintainer user" {
+  {
+    output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "random" "true" $workdir "img" 2>&1)
+    exit_status=$?
+  } || true
+  [[ $exit_status -eq 1 ]]
+  [[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by a user neither as a code owner nor a maintainer of the image img" ]]
+}
+
+@test "allows code owner" {
+  output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "code-owner" "true" $workdir "img" 2>&1)
+  [[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by code-owner as the code owner" ]]
+}
+
+@test "allows image maintainer" {
+  output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "maintainer" "true" $workdir "img")
+  [[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by maintainer as a maintainer of the image img" ]]
+}
+
+@test "allows non-code-owner-non-maintainer user" {
+  output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "random" "false" $workdir "img")
+  [[ $(echo "${output}"| tail -n 1) = "The workflow is not restricted to non-code-owner or non-maintainer users" ]]
+}
+
+@test "user as both code-owner and maintainer is triggered as code owner" {
+  echo -n " @maintainer" >> $workdir/CODEOWNERS
+  output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "maintainer" "true" $workdir "img")
+  [[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by maintainer as the code owner" ]]
+}
+
+@test "teams are expanded to team members" {
+  echo -n "@canonical/rocks" >> $workdir/CODEOWNERS
+  output=$(${BATS_TEST_DIRNAME}/validate-actor.sh "ROCKsBot" "true" $workdir "img")
+  [[ $(echo "${output}"| tail -n 1) = "The workflow is triggered by ROCKsBot as the code owner" ]]
+}

.github/actions/validate-actor/validate-actor.sh

@@ -0,0 +1,35 @@
+#!/bin/bash -e
+
+actor=$1
+admin_only=$2
+workspace=$3
+image_path=$4
+
+echo "github.actor: ${actor}"
+echo "admin-only: ${admin_only}"
+if [[ ${admin_only} == true ]]; then
+    echo "Expanding team mentions in the CODEOWNERS file"
+    cp ${workspace}/CODEOWNERS ${workspace}/CODEOWNERS.bak
+    teams=$(grep -oE '@[[:alnum:]_.-]+\/[[:alnum:]_.-]+' ${workspace}/CODEOWNERS || true | sort | uniq)
+
+    for team in ${teams}; do
+        org=$(echo ${team} | cut -d'/' -f1 | sed 's/@//')
+        team_name=$(echo ${team} | cut -d'/' -f2)
+        members=$(gh api "/orgs/${org}/teams/${team_name}/members" | jq -r '.[].login')
+        replacement=$(echo "${members}" | xargs -I {} echo -n "@{} " | awk '{$1=$1};1')
+        sed -i "s|${team}|${replacement}|g" ${workspace}/CODEOWNERS
+    done
+
+    if grep -wq "@${actor}" ${workspace}/CODEOWNERS; then
+        echo "The workflow is triggered by ${actor} as the code owner"
+    elif cat ${workspace}/${image_path}/contacts.yaml | yq ".maintainers" | grep "\- " | grep -wq "${actor}"; then
+        echo "The workflow is triggered by ${actor} as a maintainer of the image ${image_path}"
+    else
+        echo "The workflow is triggered by a user neither as a code owner nor a maintainer of the image ${image_path}"
+        exit 1
+    fi
+else
+    echo "The workflow is not restricted to non-code-owner or non-maintainer users"
+fi
+
+mv ${workspace}/CODEOWNERS.bak ${workspace}/CODEOWNERS

.github/workflows/Announcements.yaml

@@ -33,6 +33,14 @@ jobs:
             fi
           done
 
+      - name: Validate access to triggered image
+        uses: ./.github/actions/validate-actor
+        if: ${{ github.repository == 'canonical/oci-factory' }}
+        with:
+          admin-only: true
+          image-path: "oci/${{ steps.get-image-name.outputs.img-name }}"
+          github-token: ${{ secrets.ROCKSBOT_TOKEN }}
+
       - name: Get contacts for ${{ steps.get-image-name.outputs.img-name }}
         id: get-contacts
         working-directory: oci/${{ steps.get-image-name.outputs.img-name }}
@@ -104,4 +112,3 @@ jobs:
           do
             MM_CHANNEL_ID="${channel}" ./src/notifications/send_to_mattermost.sh
           done
-

.github/workflows/Build-Rock.yaml

@@ -49,7 +49,17 @@ jobs:
         if: ${{ steps.clone-image-repo.outcome == 'failure' }}
         run: |
           git clone ${{ inputs.rock-repo }} .
+
+      - name: Validate access to triggered image
+        uses: ./.github/actions/validate-actor
+        if: ${{ github.repository == 'canonical/oci-factory' }}
+        with:
+          admin-only: true
+          image-path: ${{ inputs.oci-factory-path }}
+          github-token: ${{ secrets.ROCKSBOT_TOKEN }}
+
       - run: git checkout ${{ inputs.rock-repo-commit }}
+
       - run: sudo snap install yq --channel=v4/stable
       - name: Validate image naming and base
         working-directory: ${{ inputs.rockfile-directory }}

.github/workflows/Documentation.yaml

@@ -5,6 +5,8 @@ on:
   push:
     paths:
       - "oci/*/documentation.y*ml"
+    branches:
+      - main
   workflow_dispatch:
     inputs:
       oci-image-name:
@@ -40,6 +42,14 @@ jobs:
 
       - uses: actions/checkout@v4
 
+      - name: Validate access to triggered image
+        uses: ./.github/actions/validate-actor
+        if: ${{ github.repository == 'canonical/oci-factory' }}
+        with:
+          admin-only: true
+          image-path: "oci/${{ inputs.oci-image-name }}"
+          github-token: ${{ secrets.ROCKSBOT_TOKEN }}
+
       - name: Infer images to document
         uses: tj-actions/changed-files@v35
         id: changed-files

.github/workflows/Image.yaml

@@ -94,6 +94,14 @@ jobs:
           echo "img-name=$(basename ${img_path})" >> "$GITHUB_OUTPUT"
           echo "img-path=${img_path}" >> "$GITHUB_OUTPUT"
 
+      - name: Validate access to triggered image
+        uses: ./.github/actions/validate-actor
+        if: ${{ github.repository == 'canonical/oci-factory' }}
+        with:
+          admin-only: true
+          image-path: ${{ steps.validate-image.outputs.img-path }}
+          github-token: ${{ secrets.ROCKSBOT_TOKEN }}
+
       - name: Use custom image trigger
         if: ${{ inputs.b64-image-trigger != '' }}
         run: echo ${{ inputs.b64-image-trigger }} | base64 -d > ${{ steps.validate-image.outputs.img-path }}/image.yaml
@@ -113,7 +121,7 @@ jobs:
 
           ./src/image/prepare_single_image_build_matrix.py \
             --oci-path ${{ steps.validate-image.outputs.img-path }} \
-            --revision-data-dir ${{ env.DATA_DIR }} \
+            --revision-data-dir ${{ env.DATA_DIR }}
 
   run-build:
     needs: [prepare-build]

.github/workflows/Release.yaml

@@ -39,6 +39,14 @@ jobs:
 
       - uses: actions/checkout@v4
 
+      - name: Validate access to triggered image
+        uses: ./.github/actions/validate-actor
+        if: ${{ github.repository == 'canonical/oci-factory' }}
+        with:
+          admin-only: true
+          image-path: "oci/${{ inputs.oci-image-name }}"
+          github-token: ${{ secrets.ROCKSBOT_TOKEN }}
+
       - name: Infer number of image triggers
         uses: tj-actions/changed-files@v35
         id: changed-files

.github/workflows/Tests.yaml

@@ -66,9 +66,22 @@ env:
   DIVE_IMAGE: 'wagoodman/dive:v0.12'
 
 jobs:
+  access-check:
+    runs-on: ubuntu-22.04
+    steps:
+    - uses: actions/checkout@v4 
+    - name: Validate access to triggered image
+      uses: ./.github/actions/validate-actor
+      if: ${{ github.repository == 'canonical/oci-factory' }}
+      with:
+        admin-only: true
+        image-path: ${{ inputs.oci-image-path }}
+        github-token: ${{ secrets.ROCKSBOT_TOKEN }}
+
   fetch-oci-image:
     runs-on: ubuntu-22.04
     name: Fetch OCI image for testing
+    needs: [access-check]
     outputs:
       test-cache-key: ${{ steps.cache.outputs.key }}
     steps:

.github/workflows/Vulnerability-Scan.yaml

@@ -43,6 +43,14 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Validate access to triggered image
+        uses: ./.github/actions/validate-actor
+        if: ${{ github.repository == 'canonical/oci-factory' }}
+        with:
+          admin-only: true
+          image-path: ${{ inputs.oci-image-path }}
+          github-token: ${{ secrets.ROCKSBOT_TOKEN }}
+
       - id: vulnerability-report
         run: |
           full_name="${{ inputs.oci-image-name }}${{ inputs.vulnerability-report-suffix }}"

.github/workflows/_Test-OCI-Factory.yaml

@@ -4,6 +4,7 @@ on:
   push:
     paths:
       - ".github/workflows/*"
+      - ".github/actions/**"
       - "!.github/workflows/CLA-Check.yaml"
       - "!.github/workflows/PR-Validator.yaml"
       - "!.github/workflows/_Auto-updates.yaml"
@@ -16,8 +17,20 @@ on:
       - "!src/cli-client/**"
 
 jobs:
+  access-check:
+    name: Validate access to mock-rock
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ./.github/actions/validate-actor
+        with:
+          admin-only: true
+          image-path: "oci/mock-rock"
+          github-token: ${{ secrets.ROCKSBOT_TOKEN }}
+
   test-workflows:
     name: Trigger internal tests for mock-rock
+    needs: [access-check]
     uses: ./.github/workflows/Image.yaml
     with:
       oci-image-name: "mock-rock"

CODEOWNERS

@@ -0,0 +1 @@
+*       @canonical/rocks

oci/mock-rock/_releases.json

@@ -13,13 +13,13 @@
     },
     "1.0-22.04": {
         "candidate": {
-            "target": "397"
+            "target": "433"
         },
         "beta": {
-            "target": "397"
+            "target": "433"
         },
         "edge": {
-            "target": "397"
+            "target": "433"
         },
         "end-of-life": "2025-05-01T00:00:00Z"
     },
@@ -35,31 +35,31 @@
     "1.1-22.04": {
         "end-of-life": "2025-05-01T00:00:00Z",
         "candidate": {
-            "target": "398"
+            "target": "434"
         },
         "beta": {
-            "target": "398"
+            "target": "434"
         },
         "edge": {
-            "target": "398"
+            "target": "434"
         }
     },
     "1-22.04": {
         "end-of-life": "2025-05-01T00:00:00Z",
         "candidate": {
-            "target": "398"
+            "target": "434"
         },
         "beta": {
-            "target": "398"
+            "target": "434"
         },
         "edge": {
-            "target": "398"
+            "target": "434"
         }
     },
     "1.2-22.04": {
         "end-of-life": "2025-05-01T00:00:00Z",
         "beta": {
-            "target": "399"
+            "target": "435"
         },
         "edge": {
             "target": "1.2-22.04_beta"