Never run outside github actions

2025-07-02 21:41:53 -04:00 · 2025-05-09 22:59:12 -04:00
parent d1b6ae381c
commit 376471cd3a
2 changed files with 72 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -1,2 +1,60 @@
 # go-github-sync
-Automatically set up github sync
+
+A Go tool that generates and sets up GitHub Actions workflows to automatically sync external repositories to GitHub mirrors.
+
+## Overview
+
+The `go-github-sync` tool creates GitHub Actions workflows that periodically pull changes from a primary repository and push them to a GitHub mirror repository. It can either output the workflow YAML file or directly set it up in the target GitHub repository.
+
+## Installation
+
+```bash
+# Clone the repository
+git clone https://github.com/go-i2p/go-github-sync.git
+
+# Build the tool
+cd go-github-sync
+go build -o github-sync ./cmd/github-sync
+```
+
+## Usage
+
+```bash
+# Basic usage
+github-sync --primary https://example.org/repo.git --mirror https://github.com/user/repo
+
+# Output workflow to file
+github-sync --primary https://example.org/repo.git --mirror https://github.com/user/repo --output workflow.yml
+
+# Setup workflow in GitHub repository
+github-sync --primary https://example.org/repo.git --mirror https://github.com/user/repo --setup
+```
+
+### Command Line Options
+
+- `--primary`, `-p`: Primary repository URL (required)
+- `--mirror`, `-m`: GitHub mirror repository URL (required, auto-detected if possible)
+- `--primary-branch`: Primary repository branch name (default: "main")
+- `--mirror-branch`: GitHub mirror repository branch name (default: "main")
+- `--interval`, `-i`: Sync interval - hourly, daily, weekly (default: "hourly")
+- `--force`: Force sync by overwriting mirror with primary content (default: true)
+- `--output`, `-o`: Output file for workflow YAML (default: ".github/workflows/sync.yaml")
+- `--setup`: Automatically setup the workflow in the GitHub repository
+- `--verbose`, `-v`: Enable verbose logging
+
+## Requirements
+
+- GitHub token (needed when using `--setup` flag)
+  - Set via `GITHUB_TOKEN` or `GH_TOKEN` environment variable
+
+## Dependencies
+
+- github.com/google/go-github/v61
+- github.com/spf13/cobra
+- go.uber.org/zap
+- golang.org/x/oauth2
+- gopkg.in/yaml.v3
+
+## License
+
+MIT License
--- a/pkg/workflow/generator.go
+++ b/pkg/workflow/generator.go
@ -86,10 +86,23 @@ func generateWorkflowYAML(data WorkflowTemplate) (string, error) {
 			},
 			"workflow_dispatch": map[string]interface{}{}, // Allow manual triggering
 		},
+		// Add environment constraints to prevent running outside GitHub Actions
+		"permissions": map[string]string{
+			"contents": "write", // Needed to push changes
+			"actions":  "read",  // Minimal action permissions
+		},
 		"jobs": map[string]interface{}{
 			"sync": map[string]interface{}{
 				"runs-on": "ubuntu-latest",
+				// Add environment check to ensure GitHub Actions environment
+				"env": map[string]string{
+					"GITHUB_ACTIONS_ENVIRONMENT": "${{ github.action }}", // Should always be set in GitHub Actions
+				},
 				"steps": []map[string]interface{}{
+					{
+						"name": "Security Check",
+						"run":  "if [ \"$GITHUB_ACTIONS_ENVIRONMENT\" == \"\" ]; then echo \"This workflow is only intended to run inside GitHub Actions\"; exit 1; fi",
+					},
 					{
 						"name": "Checkout GitHub Mirror",
 						"uses": "actions/checkout@v3",