Skip to content

Add ALLOWED_OWNERS configuration for repository ownership validation #77

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Matthew Brace (Kushmanmb) merged 3 commits into from
Feb 25, 2026
Merged

Add ALLOWED_OWNERS configuration for repository ownership validation #77

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
675032c
Initial plan
Copilot Feb 25, 2026
c964b95
Add ALLOWED_OWNERS configuration with validation
Copilot Feb 25, 2026
cf22369
Add documentation for allowed-owners script
Copilot Feb 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 35 additions & 10 deletions .github/rulesets/APPLY_RULESETS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,27 @@

This guide provides step-by-step instructions for applying the branch protection rulesets defined in this repository to the GitHub repository.

## Configuration

This repository supports multiple allowed repository owners. The allowed owners are configured in `.github/scripts/allowed-owners.sh`:

```bash
ALLOWED_OWNERS=("kushmanmb-org" "kushmanmb")
```

When applying rulesets, ensure you are working with one of the allowed repository owners.

## Prerequisites

- Repository admin access to `kushmanmb-org/web`
- Repository admin access to a repository owned by one of the allowed owners (e.g., `kushmanmb-org/web` or `kushmanmb/web`)
- GitHub CLI (`gh`) installed (for API method)
- OR access to GitHub web interface

## Method 1: Using GitHub Web Interface (Recommended)

### Step 1: Access Repository Settings

1. Navigate to https://github.com/kushmanmb-org/web
1. Navigate to https://github.com/{OWNER}/{REPO} (e.g., https://github.com/kushmanmb-org/web)
2. Click on **Settings** tab
3. In the left sidebar, click **Rules** → **Rulesets**

Expand Down Expand Up @@ -107,35 +117,48 @@ gh auth login

```bash
# Navigate to the repository directory
cd /path/to/web
cd /path/to/repo

# Source the allowed owners configuration
source .github/scripts/allowed-owners.sh

# Set your repository owner (must be one of the allowed owners)
REPO_OWNER="kushmanmb-org" # or "kushmanmb"
REPO_NAME="web" # your repository name

# Validate the owner is allowed
if ! validate_owner "$REPO_OWNER"; then
echo "Error: Invalid repository owner"
exit 1
fi

# Create master branch protection ruleset
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
/repos/kushmanmb-org/web/rulesets \
/repos/${REPO_OWNER}/${REPO_NAME}/rulesets \
--input .github/rulesets/master-branch-protection.json

# Create release branch protection ruleset
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
/repos/kushmanmb-org/web/rulesets \
/repos/${REPO_OWNER}/${REPO_NAME}/rulesets \
--input .github/rulesets/release-branch-protection.json

# Create tag protection ruleset
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
/repos/kushmanmb-org/web/rulesets \
/repos/${REPO_OWNER}/${REPO_NAME}/rulesets \
--input .github/rulesets/tag-protection.json
```

### Step 3: Verify Rulesets

```bash
# List all rulesets
gh api /repos/kushmanmb-org/web/rulesets | jq '.[] | {id, name, target, enforcement}'
# List all rulesets using the same variables
gh api /repos/${REPO_OWNER}/${REPO_NAME}/rulesets | jq '.[] | {id, name, target, enforcement}'
```

## Method 3: Using Terraform (For Infrastructure as Code)
Expand All @@ -144,6 +167,8 @@ If you're managing GitHub infrastructure with Terraform:

```hcl
# main.tf
# Note: Set owner to one of the allowed owners: "kushmanmb-org" or "kushmanmb"

terraform {
required_providers {
github = {
Expand All @@ -154,11 +179,11 @@ terraform {
}

provider "github" {
owner = "kushmanmb-org"
owner = "kushmanmb-org" # or "kushmanmb" - must be one of the allowed owners
}

resource "github_repository_ruleset" "master_protection" {
repository = "web"
repository = "web" # your repository name
name = "Master Branch Protection"
target = "branch"
enforcement = "active"
Expand Down
109 changes: 109 additions & 0 deletions .github/scripts/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
# GitHub Scripts

This directory contains utility scripts for GitHub repository management.

## allowed-owners.sh

Configuration script that defines the allowed repository owners for this project.

### Configuration

```bash
ALLOWED_OWNERS=("kushmanmb-org" "kushmanmb")
```

### Usage

#### 1. Direct Execution

Run the script directly to list allowed owners:

```bash
.github/scripts/allowed-owners.sh
```

Output:
```
Allowed repository owners:
- kushmanmb-org
- kushmanmb
```

#### 2. Source in Other Scripts

Source the script to use the `ALLOWED_OWNERS` variable and `validate_owner` function:

```bash
#!/bin/bash
source .github/scripts/allowed-owners.sh

# Use the ALLOWED_OWNERS array
echo "Allowed owners: ${ALLOWED_OWNERS[@]}"

# Validate an owner
if validate_owner "kushmanmb-org"; then
echo "Owner is valid"
else
echo "Owner is not allowed"
exit 1
fi
```

### Example: Applying Rulesets

```bash
#!/bin/bash
# Source the configuration
source .github/scripts/allowed-owners.sh

# Set repository variables
REPO_OWNER="kushmanmb-org"
REPO_NAME="web"

# Validate owner before proceeding
if ! validate_owner "$REPO_OWNER"; then
echo "Error: $REPO_OWNER is not an allowed owner"
exit 1
fi

# Proceed with GitHub API calls
gh api /repos/${REPO_OWNER}/${REPO_NAME}/rulesets
```

### API Reference

#### Variables

- `ALLOWED_OWNERS` - Bash array containing allowed repository owner names

#### Functions

##### validate_owner

Validates if an owner is in the allowed list.

**Parameters:**
- `$1` - Owner name to validate

**Returns:**
- `0` - Owner is allowed
- `1` - Owner is not allowed or not specified

**Example:**
```bash
if validate_owner "kushmanmb"; then
echo "Valid owner"
fi
```

## Maintenance

When adding or removing allowed owners:

1. Edit the `ALLOWED_OWNERS` array in `allowed-owners.sh`
2. Update documentation in `.github/rulesets/APPLY_RULESETS.md` if needed
3. Test the changes:
```bash
source .github/scripts/allowed-owners.sh
validate_owner "new-owner"
```
35 changes: 35 additions & 0 deletions .github/scripts/allowed-owners.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
#!/bin/bash
# Configuration for allowed repository owners
# This script defines which GitHub organizations/users are allowed to own this repository

ALLOWED_OWNERS=("kushmanmb-org" "kushmanmb")

# Function to validate if an owner is allowed
# Usage: validate_owner "owner-name"
# Returns: 0 if owner is allowed, 1 otherwise
validate_owner() {
local owner="$1"

if [[ -z "$owner" ]]; then
echo "Error: No owner specified" >&2
return 1
fi

for allowed in "${ALLOWED_OWNERS[@]}"; do
if [[ "$owner" == "$allowed" ]]; then
return 0
fi
done

echo "Error: Owner '$owner' is not in the allowed list" >&2
echo "Allowed owners: ${ALLOWED_OWNERS[*]}" >&2
return 1
}

# If script is executed directly (not sourced), print the allowed owners
if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
echo "Allowed repository owners:"
for owner in "${ALLOWED_OWNERS[@]}"; do
echo " - $owner"
done
fi
Loading