Automate GitHub Actions allow list for GitHub Enterprise accounts

name: Deploy GitHub Actions allow list

on:
  push:
    branches: [main]
    paths: [github-actions-allow-list.yml]

jobs:
  deploy:
    runs-on: ubuntu-latest

    permissions: read-all

    steps:
      - name: Checkout
        uses: actions/checkout@v5.0.0

      - name: Deploy GitHub Actions allow list
        uses: ActionsDesk/github-actions-allow-list-as-code-action@v3.0.0
        with:
          token: ${{ secrets.ENTERPRISE_ADMIN_TOKEN }}
          enterprise: 'your-enterprise'
          # same as defined under `on.pull_requests.paths`
          allow_list_path: github-actions-allow-list.yml

ℹ️ Notes for providing enterprise or organization:

• Either provide enterprise to update the GitHub Enterprise Cloud's actions allow list, or organization to update a single organization's allow list.
• Providing both will result in the action run failing with Please provide only one of: enterprise, organization.
• If providing organization, but the allow list is handled via GitHub Enterprise Cloud's actions allow list, the action run will fail with Selected actions are already set at the enterprise level.

Example content for Allow List file containing actions: key and list with two allowed actions with specific versions, one wildcard entry for an entire org, and one wildcard entry for all versions of a specific action:

actions:
  - actionsdesk/github-actions-allow-list-as-code-action@v3.0.0
  - hashicorp/vault-action@v2.7.4
  - aquasecurity/tfsec-sarif-action@*
  - azure/*

To run locally, set the following environment variables, compile with ncc, and run with node:

export GITHUB_WORKSPACE=$(pwd)
export INPUT_ALLOW_LIST_PATH=allowlist.yml
export INPUT_ORGANIZATION=my-org # use INPUT_ENTERPRISE for enterprise
export INPUT_TOKEN=ghp_abcdefg
npm run build
node dist/index.js

• MIT License