openai/codex-action
Publicmirrored from https://github.com/openai/codex-actionAvailable
test/checkActorPermissions.test.mjs
77lines · modecode
| 1 | import assert from "node:assert/strict"; |
| 2 | import { spawnSync } from "node:child_process"; |
| 3 | import { test } from "node:test"; |
| 4 | import { fileURLToPath } from "node:url"; |
| 5 | |
| 6 | const mainPath = fileURLToPath(new URL("../dist/main.js", import.meta.url)); |
| 7 | |
| 8 | function runCheckWriteAccess(actor, args = []) { |
| 9 | const env = { |
| 10 | ...process.env, |
| 11 | GITHUB_ACTOR: actor, |
| 12 | GITHUB_REPOSITORY: "openai/codex-action", |
| 13 | }; |
| 14 | delete env.GH_TOKEN; |
| 15 | delete env.GITHUB_TOKEN; |
| 16 | |
| 17 | return spawnSync(process.execPath, [mainPath, "check-write-access", ...args], { |
| 18 | encoding: "utf8", |
| 19 | env, |
| 20 | }); |
| 21 | } |
| 22 | |
| 23 | test("does not trust arbitrary bot actor suffixes", () => { |
| 24 | const result = runCheckWriteAccess("openai-internal[bot]", ["--allow-bots", "true"]); |
| 25 | |
| 26 | assert.notEqual(result.status, 0); |
| 27 | assert.match(result.stderr, /A GitHub token is required/); |
| 28 | }); |
| 29 | |
| 30 | test("allows trusted GitHub bot actors when enabled", () => { |
| 31 | const result = runCheckWriteAccess("github-actions[bot]", ["--allow-bots", "true"]); |
| 32 | |
| 33 | assert.equal(result.status, 0, result.stderr); |
| 34 | assert.match(result.stdout, /permitted to continue/); |
| 35 | }); |
| 36 | |
| 37 | test("requires explicit opt-in for trusted GitHub bot actors", () => { |
| 38 | const result = runCheckWriteAccess("github-actions[bot]"); |
| 39 | |
| 40 | assert.notEqual(result.status, 0); |
| 41 | assert.match(result.stderr, /A GitHub token is required/); |
| 42 | }); |
| 43 | |
| 44 | test("does not trust dependabot when generic bot bypass is enabled", () => { |
| 45 | const result = runCheckWriteAccess("dependabot[bot]", ["--allow-bots", "true"]); |
| 46 | |
| 47 | assert.notEqual(result.status, 0); |
| 48 | assert.match(result.stderr, /A GitHub token is required/); |
| 49 | }); |
| 50 | |
| 51 | test("allows custom bot actors when explicitly listed", () => { |
| 52 | const result = runCheckWriteAccess("renovate[bot]", ["--allow-bot-users", "renovate"]); |
| 53 | |
| 54 | assert.equal(result.status, 0, result.stderr); |
| 55 | assert.match(result.stdout, /permitted to continue/); |
| 56 | }); |
| 57 | |
| 58 | test("does not allow unlisted custom bot actors", () => { |
| 59 | const result = runCheckWriteAccess("openai-internal[bot]", ["--allow-bot-users", "renovate"]); |
| 60 | |
| 61 | assert.notEqual(result.status, 0); |
| 62 | assert.match(result.stderr, /A GitHub token is required/); |
| 63 | }); |
| 64 | |
| 65 | test("does not apply custom bot allowlists to human actors", () => { |
| 66 | const result = runCheckWriteAccess("renovate", ["--allow-bot-users", "renovate"]); |
| 67 | |
| 68 | assert.notEqual(result.status, 0); |
| 69 | assert.match(result.stderr, /A GitHub token is required/); |
| 70 | }); |
| 71 | |
| 72 | test("rejects wildcard custom bot allowlists", () => { |
| 73 | const result = runCheckWriteAccess("openai-internal[bot]", ["--allow-bot-users", "*"]); |
| 74 | |
| 75 | assert.notEqual(result.status, 0); |
| 76 | assert.match(result.stderr, /allow-bot-users does not support '\*'/); |
| 77 | }); |
| 78 | |