added permission check for secrets (#14)

* added permission check for secrets * typo in subresource * moved auth check to the command receiver
2025-12-14 08:36:45 +00:00 · 2022-06-15 14:54:50 +02:00
parent 8ea57170d8
commit de4553f25a
4 changed files with 23 additions and 53 deletions
--- a/packages/k8s/src/index.ts
+++ b/packages/k8s/src/index.ts
@@ -1,11 +1,12 @@
-import { Command, getInputFromStdin, prepareJobArgs } from 'hooklib'
 import * as core from '@actions/core'
+import { Command, getInputFromStdin, prepareJobArgs } from 'hooklib'
 import {
  cleanupJob,
  prepareJob,
  runContainerStep,
  runScriptStep
 } from './hooks'
+import { isAuthPermissionsOK, namespace, requiredPermissions } from './k8s'

 async function run(): Promise<void> {
  const input = await getInputFromStdin()
@@ -17,6 +18,13 @@ async function run(): Promise<void> {

  let exitCode = 0
  try {
+    if (!(await isAuthPermissionsOK())) {
+      throw new Error(
+        `The Service account needs the following permissions ${JSON.stringify(
+          requiredPermissions
+        )} on the pod resource in the '${namespace}' namespace. Please contact your self hosted runner administrator.`
+      )
+    }
    switch (command) {
      case Command.PrepareJob:
        await prepareJob(args as prepareJobArgs, responseFile)