Skip to content

fix: Enable submitting empty allowlist for actions permissions patterns#4371

Open
deiga wants to merge 3 commits into
google:masterfrom
F-Secure-web:enable-empty-allowlist-actions-permissions
Open

fix: Enable submitting empty allowlist for actions permissions patterns#4371
deiga wants to merge 3 commits into
google:masterfrom
F-Secure-web:enable-empty-allowlist-actions-permissions

Conversation

@deiga

@deiga deiga commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Resolves #4359

This PR changes PatternsAllowed to use omitzero instead of omitempty. That enables submitting an empty List to the API and thus override any currently set allowlisted patterns.

deiga added 2 commits July 7, 2026 22:17
Signed-off-by: Timo Sand <timo.sand@f-secure.com>
Signed-off-by: Timo Sand <timo.sand@f-secure.com>
@deiga deiga marked this pull request as draft July 7, 2026 19:37
@deiga deiga marked this pull request as ready for review July 7, 2026 19:37
@deiga deiga changed the title enable empty allowlist actions permissions Enable submitting an empty allowlist for actions permissions patterns Jul 7, 2026
@gmlewis gmlewis changed the title Enable submitting an empty allowlist for actions permissions patterns fix: Enable submitting empty allowlist for actions permissions patterns Jul 7, 2026
@gmlewis gmlewis added the NeedsReview PR is awaiting a review before merging. label Jul 7, 2026
@codecov

codecov Bot commented Jul 7, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.51%. Comparing base (90a1849) to head (8c14942).

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #4371   +/-   ##
=======================================
  Coverage   97.51%   97.51%           
=======================================
  Files         193      193           
  Lines       19526    19526           
=======================================
  Hits        19040    19040           
  Misses        269      269           
  Partials      217      217           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@gmlewis gmlewis left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @deiga!
LGTM.
Awaiting second LGTM+Approval from any other contributor to this repo before merging.

cc: @stevehipwell - @alexandear - @Not-Dhananjay-Mishra

Comment thread github/actions_permissions_orgs.go Outdated
GithubOwnedAllowed *bool `json:"github_owned_allowed,omitempty"`
VerifiedAllowed *bool `json:"verified_allowed,omitempty"`
PatternsAllowed []string `json:"patterns_allowed,omitempty"`
PatternsAllowed []string `json:"patterns_allowed,omitzero"`

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add a comment about distinguishing passing an empty slice []string{} and passing nil slice and why we need both.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@alexandear Done. I hope it's placed correctly 😬

@stevehipwell stevehipwell left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Signed-off-by: Timo Sand <timo.sand@f-secure.com>
GithubOwnedAllowed *bool `json:"github_owned_allowed,omitempty"`
VerifiedAllowed *bool `json:"verified_allowed,omitempty"`
PatternsAllowed []string `json:"patterns_allowed,omitempty"`
PatternsAllowed []string `json:"patterns_allowed,omitzero"` // omitzero is used to allow empty array to be sent in the request body, to configure the organization to allow no 3rd-party actions. It needs to still omit a `nil` value, so that it's possible to patch the other values without changing the allowed actions.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
PatternsAllowed []string `json:"patterns_allowed,omitzero"` // omitzero is used to allow empty array to be sent in the request body, to configure the organization to allow no 3rd-party actions. It needs to still omit a `nil` value, so that it's possible to patch the other values without changing the allowed actions.
// PatternsAllowed uses `omitzero` allow an empty array to be sent in the request body in order to
// configure the organization to allow no 3rd-party actions. It needs to still omit a `nil` value so
// that it's possible to patch the other values without changing the allowed actions.
PatternsAllowed []string `json:"patterns_allowed,omitzero"`

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

NeedsReview PR is awaiting a review before merging.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

BUG: GitHub Actions Permissions do not allow emptying a once-set allowlist

4 participants