Skip to content

github/entitlements-gitrepo-auditor-plugin

2 Branches8 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

nobe4nobe4
Merge pull request #106 from github/dependabot/github_actions/github-โ€ฆ
Apr 28, 2025
8972d7e ยท Apr 28, 2025

History

147 Commits
.github
.github
Apr 28, 2025
bin
bin
Jun 7, 2022
lib
lib
Jun 10, 2024
script
script
Apr 3, 2024
spec
spec
Jun 10, 2024
vendor/cache
vendor/cache
Mar 10, 2025
.gitignore
.gitignore
Jun 7, 2022
.rubocop.yml
.rubocop.yml
Jun 10, 2024
.ruby-version
.ruby-version
Jun 10, 2024
Gemfile
Gemfile
Jun 7, 2022
Gemfile.lock
Gemfile.lock
Mar 10, 2025
LICENSE
LICENSE
Jun 7, 2022
README.md
README.md
Aug 29, 2023
entitlements-gitrepo-auditor-plugin.gemspec
entitlements-gitrepo-auditor-plugin.gemspec
Jun 11, 2024

Repository files navigation

entitlements-gitrepo-auditor-plugin

acceptance test lint build release codeql coverage style

entitlements-gitrepo-auditor-plugin is an entitlements-app plugin allowing further auditing capabilities in entitlements by writing each deploy log to a separate GitHub repo.

Usage

Your entitlements-app config config/entitlements.yaml runs through ERB interpretation automatically. You can extend your entitlements configuration to load plugins like so:

<%-
  unless ENV['CI_MODE']
    begin
      require_relative "/data/entitlements/lib/entitlements-and-plugins"
    rescue Exception
      begin
        require_relative "lib/entitlements-and-plugins"
      rescue Exception
        # We might not have the plugins installed and still want this file to be
        # loaded. Don't raise anything but silently fail.
      end
    end
  end
-%>

You can then define lib/entitlements-and-plugins like so:

#!/usr/bin/env ruby
# frozen_string_literal: true

ENV["BUNDLE_GEMFILE"] = File.expand_path("../../Gemfile", File.dirname(__FILE__))
require "bundler/setup"
require "entitlements"

# require entitlements plugins here
require "entitlements/auditor/gitrepo"
require "entitlements/util/gitrepo"

Any plugins defined in lib/entitlements-and-plugins will be loaded and used at entitlements-app runtime.

Features

Git Repo Auditing

You can add automatic auditing to a separate GitRepo by enabling the following entitlements.yaml config:

<%-
    # NOTE: GITREPO_SSH_KEY must be base64 encoded.
    sshkey = ENV.fetch("GITREPO_SSH_KEY")
    shipper = ENV.fetch("GIT_SHIPPER", "<unknown person>")
    what = ["entitlements", ENV.fetch("GIT_BRANCH", "<unknown branch>")].join("/")
    sha = ENV.fetch("GIT_SHA1", "<unknown sha>")
    url = "https://github.com/github/entitlements-config/commit/#{sha}"
    commit_message = "#{shipper} deployed #{what} (#{url})"
-%>
auditors:
  - auditor_class: GitRepo
    checkout_directory: <%= ENV["GITREPO_CHECKOUT_DIRECTORY"] %>
    commit_message: <%= commit_message %>
    git_name: GitRepoUser
    git_email: gitrepousers@users.noreply
    person_dn_format: uid=%KEY%,ou=People,dc=github,dc=net
    repo: github/entitlements-config-auditlog
    sshkey: '<%= sshkey %>'
<%- end -%>

At the end of each entitlements-app run, the entitlements-gitrepo-auditor-plugin will write a commit to the repo defined above with the details of the deployment.

Release ๐Ÿš€

To release a new version of this Gem, do the following:

  1. Update the version number in the lib/version.rb file
  2. Run bundle install to update the Gemfile.lock file with the new version
  3. Commit your changes, push them to GitHub, and open a PR

Once your PR is approved and the changes are merged, a new release will be created automatically by the release.yml workflow. The latest version of the Gem will be published to the GitHub Package Registry and RubyGems.

About

Entitlements plugin for a robust audit log

Topics

security iam audit entitlements

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

21 stars

Watchers

41 watching

Forks

2 forks
Report repository

Releases 4

v1.0.0 Latest
Jun 11, 2024
+ 3 releases

Packages 1

Contributors 9

Languages