add secure-files test

2025-12-19 18:10:59 -05:00 · 2022-08-03 13:03:15 -07:00
parent 467459af7c
commit 88df2f01f5
2 changed files with 53 additions and 0 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -32,3 +32,6 @@ package.json @github/docs-engineering
 /contributing/content-model.md @github/docs-content-strategy
 /contributing/content-style-guide.md @github/docs-content-strategy
 /contributing/content-templates.md @github/docs-content-strategy
+
+# Requires review of #actions-oidc-integration, https://github.com/github/docs-engineering/issues/1506
+content/actions/deployment/security-hardening-your-deployments/** @github/oidc
--- a/tests/content/secure-files.js
+++ b/tests/content/secure-files.js
@@ -0,0 +1,50 @@
+import fs from 'fs/promises'
+import path from 'path'
+import glob from 'glob'
+
+/*
+ * Verify that a list of file paths are present and optionally have a CODEOWNERS entry
+ *
+ * name: Readable description of file(s)
+ * path: Path to secure files (must match entry in CODEOWNERS if code owner required)
+ * requiredCodeOwner: (optional) Name of code owner if a code owner is required
+ */
+const secureFiles = [
+  {
+    name: 'Security hardening your deployments',
+    path: 'content/actions/deployment/security-hardening-your-deployments/**',
+    requiredCodeOwner: 'github/oidc',
+  },
+]
+
+const codeOwnersFile = await fs.readFile(path.join(process.cwd(), '.github/CODEOWNERS'), 'utf8')
+const codeOwners = codeOwnersFile.split(/\r?\n/)
+
+describe('Secure file paths are present and have code owners if required', () => {
+  for (const file of secureFiles) {
+    test(`secure file(s) check for: ${file.name}`, async () => {
+      // Verify file(s) exist in provided path
+      const matchingFiles = await new Promise((resolve, reject) => {
+        glob(file.path, { strict: true }, (error, files) => {
+          if (error) {
+            return reject(error)
+          }
+          resolve(files)
+        })
+      })
+      expect(matchingFiles.length, `Expected to find content in "${file.path}"`).toBeGreaterThan(0)
+
+      // Verify there are code owners for file(s)
+      if (file.requiredCodeOwner) {
+        const matchingEntry = codeOwners.find((entry) => entry.includes(file.path))
+        expect(
+          matchingEntry?.toLowerCase().includes(file.requiredCodeOwner.toLowerCase()),
+          `Code owner for ${file.name} expected to be @${file.requiredCodeOwner.replaceAll(
+            '@',
+            ''
+          )}`
+        ).toBeTruthy()
+      }
+    })
+  }
+})