openai/codex-action

Public

mirrored from https://github.com/openai/codex-actionAvailable

CodeCommitsIssuesPull requestsActionsInsightsSecurity
v1.9

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

test/checkActorPermissions.test.mjs

77lines · modecode

1import assert from "node:assert/strict";
2import { spawnSync } from "node:child_process";
3import { test } from "node:test";
4import { fileURLToPath } from "node:url";
5
6const mainPath = fileURLToPath(new URL("../dist/main.js", import.meta.url));
7
8function runCheckWriteAccess(actor, args = []) {
9 const env = {
10 ...process.env,
11 GITHUB_ACTOR: actor,
12 GITHUB_REPOSITORY: "openai/codex-action",
13 };
14 delete env.GH_TOKEN;
15 delete env.GITHUB_TOKEN;
16
17 return spawnSync(process.execPath, [mainPath, "check-write-access", ...args], {
18 encoding: "utf8",
19 env,
20 });
21}
22
23test("does not trust arbitrary bot actor suffixes", () => {
24 const result = runCheckWriteAccess("openai-internal[bot]", ["--allow-bots", "true"]);
25
26 assert.notEqual(result.status, 0);
27 assert.match(result.stderr, /A GitHub token is required/);
28});
29
30test("allows trusted GitHub bot actors when enabled", () => {
31 const result = runCheckWriteAccess("github-actions[bot]", ["--allow-bots", "true"]);
32
33 assert.equal(result.status, 0, result.stderr);
34 assert.match(result.stdout, /permitted to continue/);
35});
36
37test("requires explicit opt-in for trusted GitHub bot actors", () => {
38 const result = runCheckWriteAccess("github-actions[bot]");
39
40 assert.notEqual(result.status, 0);
41 assert.match(result.stderr, /A GitHub token is required/);
42});
43
44test("does not trust dependabot when generic bot bypass is enabled", () => {
45 const result = runCheckWriteAccess("dependabot[bot]", ["--allow-bots", "true"]);
46
47 assert.notEqual(result.status, 0);
48 assert.match(result.stderr, /A GitHub token is required/);
49});
50
51test("allows custom bot actors when explicitly listed", () => {
52 const result = runCheckWriteAccess("renovate[bot]", ["--allow-bot-users", "renovate"]);
53
54 assert.equal(result.status, 0, result.stderr);
55 assert.match(result.stdout, /permitted to continue/);
56});
57
58test("does not allow unlisted custom bot actors", () => {
59 const result = runCheckWriteAccess("openai-internal[bot]", ["--allow-bot-users", "renovate"]);
60
61 assert.notEqual(result.status, 0);
62 assert.match(result.stderr, /A GitHub token is required/);
63});
64
65test("does not apply custom bot allowlists to human actors", () => {
66 const result = runCheckWriteAccess("renovate", ["--allow-bot-users", "renovate"]);
67
68 assert.notEqual(result.status, 0);
69 assert.match(result.stderr, /A GitHub token is required/);
70});
71
72test("rejects wildcard custom bot allowlists", () => {
73 const result = runCheckWriteAccess("openai-internal[bot]", ["--allow-bot-users", "*"]);
74
75 assert.notEqual(result.status, 0);
76 assert.match(result.stderr, /allow-bot-users does not support '\*'/);
77});
78