Skip to content

Commit 4473798

Browse files
securitymircosecuritymirco
authored
Update Monitor Branch Protection Changes.yml
The workflow has been updated to automatically lock branch-state issues and send notifications when change-event triggers occur. This improvement also mitigates risks associated with malicious modifications or non-functional scripts.
1 parent 7fba467 commit 4473798

File tree

1 file changed

+71
-3
lines changed

1 file changed

+71
-3
lines changed

Monitor Branch Protection Changes.yml

Lines changed: 71 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -174,7 +174,7 @@ jobs:
174174
}
175175
}
176176
177-
// Always create a new state issue
177+
// Always create a new state issue
178178
console.log('Creating new state issue...');
179179
const newIssue = await github.rest.issues.create({
180180
owner: repo.owner,
@@ -185,6 +185,15 @@ jobs:
185185
});
186186
console.log(`Created new state issue #${newIssue.data.number}`);
187187
188+
// Lock the issue immediately
189+
await github.rest.issues.lock({
190+
owner: repo.owner,
191+
repo: repo.repo,
192+
issue_number: newIssue.data.number,
193+
lock_reason: 'resolved'
194+
});
195+
console.log(`Locked issue #${newIssue.data.number}`);
196+
188197
// Set outputs for notifications
189198
core.setOutput('changes_detected', changesDetected.toString());
190199
core.setOutput('change_description', changeDescription);
@@ -194,6 +203,65 @@ jobs:
194203
core.setFailed(`Error: ${error.message}`);
195204
}
196205
206+
- name: Send Slack Notification - Branch Protection Event
207+
if: github.event_name == 'branch_protection_rule'
208+
uses: slackapi/[email protected]
209+
env:
210+
SLACK_BOT_TOKEN: ${{ secrets.BRANCH_PROTECTION_SLACK_BOT_TOKEN }}
211+
with:
212+
channel-id: 'C081N38PHC5'
213+
payload: |
214+
{
215+
"text": "⚠️ Branch Protection Change Event Detected in ${{ github.repository }}",
216+
"blocks": [
217+
{
218+
"type": "header",
219+
"text": {
220+
"type": "plain_text",
221+
"text": "⚠️ Branch Protection Change Event Detected",
222+
"emoji": true
223+
}
224+
},
225+
{
226+
"type": "section",
227+
"text": {
228+
"type": "mrkdwn",
229+
"text": "*Repository:* ${{ github.repository }}\n*Triggered by:* ${{ github.actor }}\n*Event Type:* ${{ github.event.action }}\n*Workflow Run:* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Details>"
230+
}
231+
},
232+
{
233+
"type": "section",
234+
"text": {
235+
"type": "mrkdwn",
236+
"text": "⚠️ *Monitoring Notice:* A branch protection change event was triggered. If no change notification follows, this could indicate a non-working script or potential malicious activity."
237+
}
238+
},
239+
{
240+
"type": "actions",
241+
"elements": [
242+
{
243+
"type": "button",
244+
"text": {
245+
"type": "plain_text",
246+
"text": "View Branch Settings",
247+
"emoji": true
248+
},
249+
"url": "${{ github.server_url }}/${{ github.repository }}/settings/branches"
250+
},
251+
{
252+
"type": "button",
253+
"text": {
254+
"type": "plain_text",
255+
"text": "View Workflow Run",
256+
"emoji": true
257+
},
258+
"url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
259+
}
260+
]
261+
}
262+
]
263+
}
264+
197265
- name: Send Slack Notification - Changes Detected
198266
if: steps.check-rules.outputs.changes_detected == 'true'
199267
uses: slackapi/[email protected]
@@ -248,6 +316,8 @@ jobs:
248316
- name: Send Slack Notification - Error
249317
if: failure()
250318
uses: slackapi/[email protected]
319+
env:
320+
SLACK_BOT_TOKEN: ${{ secrets.BRANCH_PROTECTION_SLACK_BOT_TOKEN }}
251321
with:
252322
channel-id: 'C081N38PHC5'
253323
payload: |
@@ -277,5 +347,3 @@ jobs:
277347
}
278348
]
279349
}
280-
env:
281-
SLACK_BOT_TOKEN: ${{ secrets.BRANCH_PROTECTION_SLACK_BOT_TOKEN }}

0 commit comments

Comments
 (0)