allowlist-check: verbose output and gh command to create allowlist PR

allowlist-check/check_asf_allowlist.py

@@ -32,6 +32,7 @@
 import fnmatch
 import glob
 import os
+import shlex
 import sys
 from typing import Any, Generator
 
@@ -148,6 +149,63 @@ def is_allowed(action_ref: str, allowlist: list[str]) -> bool:
     return any(fnmatch.fnmatch(action_ref, pattern) for pattern in allowlist)
 
 
+def build_gh_pr_command(missing_refs: list[str], repo_name: str) -> str:
+    """Build a shell command that creates a PR adding missing actions to the allowlist.
+
+    The generated script forks ``apache/infrastructure-actions``, appends
+    wildcard entries to ``actions.yml``, and opens a pull request — all via
+    the ``gh`` CLI with no manual file editing required.
+
+    Args:
+        missing_refs: Action refs not on the allowlist (e.g. ``["owner/act@sha"]``).
+        repo_name: Value of ``$GITHUB_REPOSITORY`` (may be empty).
+
+    Returns:
+        str: A copy-pasteable shell script.
+    """
+    action_names = sorted({ref.split("@")[0] for ref in missing_refs})
+
+    # Branch name from first action, sanitised for git
+    sanitized = action_names[0].replace("/", "-")
+    if len(action_names) > 1:
+        sanitized += f"-and-{len(action_names) - 1}-more"
+    branch = f"allowlist-add-{sanitized}"
+
+    # YAML entries to append (wildcard — maintainers can pin later)
+    yaml_lines: list[str] = []
+    for name in action_names:
+        yaml_lines.append(f"{name}:")
+        yaml_lines.append("  '*':")
+        yaml_lines.append("    keep: true")
+    yaml_block = "\n".join(yaml_lines)
+
+    summary = ", ".join(action_names)
+    title = f"Add {summary} to the GitHub Actions allowlist"
+
+    body_lines = ["Add the following action(s) to the allowlist:", ""]
+    for name in action_names:
+        body_lines.append(f"- `{name}`")
+    if repo_name:
+        body_lines.extend(["", f"Needed by: `{repo_name}`"])
+    body = "\n".join(body_lines)
+
+    return (
+        f"( set -e; _d=$(mktemp -d); trap 'rm -rf \"$_d\"' EXIT; cd \"$_d\"\n"
+        f"  gh repo clone apache/infrastructure-actions . -- --depth=1\n"
+        f"  gh repo fork --remote\n"
+        f"  git checkout -b {shlex.quote(branch)}\n"
+        f"  cat >> actions.yml << 'ALLOWLIST_YAML'\n"
+        f"{yaml_block}\n"
+        f"ALLOWLIST_YAML\n"
+        f"  git add actions.yml\n"
+        f"  git commit -m {shlex.quote(f'Add {summary} to allowlist')}\n"
+        f"  git push -u origin {shlex.quote(branch)}\n"
+        f"  gh pr create --repo apache/infrastructure-actions"
+        f" --title {shlex.quote(title)}"
+        f" --body {shlex.quote(body)} )\n"
+    )
+
+
 def main():
     if len(sys.argv) != 2:
         print(f"Usage: {sys.argv[0]} <allowlist_path>", file=sys.stderr)
@@ -158,9 +216,21 @@ def main():
     scan_glob = os.environ.get("GITHUB_YAML_GLOB", DEFAULT_GITHUB_YAML_GLOB)
     action_refs = collect_action_refs(scan_glob)
 
+    print(f"Checking {len(action_refs)} unique action ref(s) against the ASF allowlist:\n")
     violations = []
     for action_ref, filepaths in sorted(action_refs.items()):
-        if not is_allowed(action_ref, allowlist):
+        allowed = is_allowed(action_ref, allowlist)
+        owner = action_ref.split("/")[0]
+        if owner in TRUSTED_OWNERS:
+            reason = f"trusted owner ({owner})"
+        elif allowed:
+            reason = "matches allowlist"
+        else:
+            reason = "NOT ON ALLOWLIST"
+        status = "✅" if allowed else "❌"
+        files_str = ", ".join(filepaths)
+        print(f"  {status} {action_ref} — {reason}  ({files_str})")
+        if not allowed:
             for filepath in filepaths:
                 violations.append((filepath, action_ref))
 
@@ -175,6 +245,12 @@ def main():
             " the action or version to the allowlist:"
             " https://github.com/apache/infrastructure-actions#adding-a-new-action-to-the-allow-list"
         )
+
+        missing_refs = sorted({ref for _, ref in violations})
+        repo_name = os.environ.get("GITHUB_REPOSITORY", "")
+        script = build_gh_pr_command(missing_refs, repo_name)
+        print(f"\n::notice::You can create a PR to add the missing entries by running:\n{script}")
+
         sys.exit(1)
     else:
         print(f"All {len(action_refs)} unique action refs are on the ASF allowlist")

allowlist-check/test_check_asf_allowlist.py

@@ -20,12 +20,15 @@
 import tempfile
 import textwrap
 import unittest
+from unittest.mock import patch
 
 from check_asf_allowlist import (
+    build_gh_pr_command,
     collect_action_refs,
     find_action_refs,
     is_allowed,
     load_allowlist,
+    main,
 )
 
 
@@ -303,5 +306,116 @@ def test_no_matching_files(self):
         self.assertEqual(refs, {})
 
 
+class TestBuildGhPrCommand(unittest.TestCase):
+    """Tests for the generated gh PR command."""
+
+    def test_single_action(self):
+        script = build_gh_pr_command(
+            ["evil-org/evil-action@abc123"], "apache/test-repo"
+        )
+        self.assertIn("gh repo clone apache/infrastructure-actions", script)
+        self.assertIn("gh repo fork --remote", script)
+        self.assertIn("allowlist-add-evil-org-evil-action", script)
+        self.assertIn("evil-org/evil-action:", script)
+        self.assertIn("  '*':", script)
+        self.assertIn("    keep: true", script)
+        self.assertIn("gh pr create --repo apache/infrastructure-actions", script)
+        self.assertIn("apache/test-repo", script)
+
+    def test_multiple_actions(self):
+        script = build_gh_pr_command(
+            ["b-org/b-action@sha1", "a-org/a-action@sha2"], ""
+        )
+        # Actions should be sorted
+        self.assertIn("a-org/a-action:", script)
+        self.assertIn("b-org/b-action:", script)
+        # Branch name mentions first action + "and more"
+        self.assertIn("allowlist-add-a-org-a-action-and-1-more", script)
+        # No repo reference when GITHUB_REPOSITORY is empty
+        self.assertNotIn("Needed by:", script)
+
+    def test_deduplicates_same_action_different_shas(self):
+        script = build_gh_pr_command(
+            ["org/action@sha1", "org/action@sha2"], ""
+        )
+        # Should appear only once in the YAML block
+        self.assertEqual(script.count("org/action:"), 1)
+
+
+class TestMainGhPrCommand(unittest.TestCase):
+    """Tests that main() prints a gh PR command on violations."""
+
+    def setUp(self):
+        self.tmpdir = tempfile.mkdtemp()
+        self.github_dir = os.path.join(self.tmpdir, ".github", "workflows")
+        os.makedirs(self.github_dir)
+
+        filepath = os.path.join(self.github_dir, "ci.yml")
+        with open(filepath, "w") as f:
+            f.write(
+                textwrap.dedent(
+                    """\
+                    name: CI
+                    on: push
+                    jobs:
+                      build:
+                        runs-on: ubuntu-latest
+                        steps:
+                          - uses: actions/checkout@v4
+                          - uses: evil-org/evil-action@abc123
+                    """
+                )
+            )
+
+        self.allowlist_path = os.path.join(self.tmpdir, "allowlist.yml")
+        with open(self.allowlist_path, "w") as f:
+            f.write("")
+
+    def tearDown(self):
+        shutil.rmtree(self.tmpdir)
+
+    @patch.dict(os.environ, {"GITHUB_REPOSITORY": "apache/test-repo"})
+    def test_main_prints_pr_command(self):
+        scan_glob = os.path.join(self.tmpdir, ".github/**/*.yml")
+        with (
+            patch.dict(os.environ, {"GITHUB_YAML_GLOB": scan_glob}),
+            patch("sys.argv", ["check_asf_allowlist.py", self.allowlist_path]),
+            patch("sys.stdout") as mock_stdout,
+            self.assertRaises(SystemExit) as cm,
+        ):
+            main()
+
+        self.assertEqual(cm.exception.code, 1)
+        output = "".join(
+            call.args[0] for call in mock_stdout.write.call_args_list
+        )
+        self.assertIn("gh pr create --repo apache/infrastructure-actions", output)
+        self.assertIn("evil-org/evil-action", output)
+        self.assertIn("apache/test-repo", output)
+
+    @patch.dict(os.environ, {"GITHUB_REPOSITORY": "apache/test-repo"})
+    def test_main_prints_verbose_check_output(self):
+        scan_glob = os.path.join(self.tmpdir, ".github/**/*.yml")
+        with (
+            patch.dict(os.environ, {"GITHUB_YAML_GLOB": scan_glob}),
+            patch("sys.argv", ["check_asf_allowlist.py", self.allowlist_path]),
+            patch("sys.stdout") as mock_stdout,
+            self.assertRaises(SystemExit),
+        ):
+            main()
+
+        output = "".join(
+            call.args[0] for call in mock_stdout.write.call_args_list
+        )
+        # Trusted action should show as allowed with reason
+        self.assertIn("actions/checkout@v4", output)
+        self.assertIn("trusted owner", output)
+        # Violation should show as not allowed
+        self.assertIn("evil-org/evil-action@abc123", output)
+        self.assertIn("NOT ON ALLOWLIST", output)
+        # Header line
+        self.assertIn("Checking 2 unique action ref(s)", output)
+
+
 if __name__ == "__main__":
     unittest.main()