-
Notifications
You must be signed in to change notification settings - Fork 424
Expand file tree
/
Copy pathvalidate_lockdown_requirements_templates.cjs
More file actions
59 lines (41 loc) · 2.12 KB
/
Copy pathvalidate_lockdown_requirements_templates.cjs
File metadata and controls
59 lines (41 loc) · 2.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
// @ts-check
const { renderTemplate } = require("./messages_core.cjs");
const LOCKDOWN_TOKEN_ERROR_TEMPLATE = `Lockdown mode is enabled (lockdown: true) but no custom GitHub token is configured.
Please configure one of the following as a repository secret:
- GH_AW_GITHUB_TOKEN (recommended)
- GH_AW_GITHUB_MCP_SERVER_TOKEN (alternative)
- Custom github-token in your workflow frontmatter
See: {auth_docs_url}
To set a token:
gh aw secrets set GH_AW_GITHUB_TOKEN --value "YOUR_FINE_GRAINED_PAT"`;
const PUBLIC_STRICT_MODE_ERROR_TEMPLATE = `This workflow is running on a public repository but was not compiled with strict mode.
Public repository workflows must be compiled with strict mode enabled to meet
the security requirements for public exposure.
To fix this, recompile the workflow with strict mode:
{strict_compile_command}
See: {security_docs_url}`;
const PULL_REQUEST_TARGET_ERROR_TEMPLATE = `This workflow is triggered by the pull_request_target event on a public repository.
The pull_request_target event is not allowed on public repositories because it runs
workflows with access to repository secrets even when triggered from a fork, which
creates a significant security risk (known as a "pwn request").
To fix this, use the pull_request event instead, or migrate to a private repository.
See: {security_docs_url}`;
const TEMPLATE_CONTEXT = {
auth_docs_url: "https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/auth.mdx",
security_docs_url: "https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/security.mdx",
strict_compile_command: "gh aw compile --strict",
};
function renderLockdownTokenErrorMessage() {
return renderTemplate(LOCKDOWN_TOKEN_ERROR_TEMPLATE, TEMPLATE_CONTEXT);
}
function renderPublicStrictModeErrorMessage() {
return renderTemplate(PUBLIC_STRICT_MODE_ERROR_TEMPLATE, TEMPLATE_CONTEXT);
}
function renderPullRequestTargetErrorMessage() {
return renderTemplate(PULL_REQUEST_TARGET_ERROR_TEMPLATE, TEMPLATE_CONTEXT);
}
module.exports = {
renderLockdownTokenErrorMessage,
renderPublicStrictModeErrorMessage,
renderPullRequestTargetErrorMessage,
};