Support custom roles

root-signing-staging (and later root-signing) is planning to use a custom role for the online signing system. Add support for creating a custom role in the org so that a role can be defined and assigned to sigstore-bot for those repositories. Signed-off-by: Jussi Kukkonen <[email protected]>
sigstore · Feb 1, 2024 · 5b4d922 · 5b4d922
1 parent 9706c02
commit 5b4d922
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/main.go b/main.go
@@ -34,6 +34,19 @@ func main() {
 			log.Fatalf("Failed to load config: %v\n", err)
 		}
 
+		// sync custom roles
+		for _, customRole := range p.Config.CustomRoles {
+			roleArgs := &github.OrganizationCustomRoleArgs{
+				BaseRole:    pulumi.String(customRole.BaseRole),
+				Description: pulumi.String(customRole.Description),
+				Permissions: pulumi.ToStringArray(customRole.Permissions),
+			}
+			_, err := github.NewOrganizationCustomRole(ctx, customRole.Name, roleArgs)
+			if err != nil {
+				return err
+			}
+		}
+
 		// sync users
 		for _, member := range p.Config.Users {
 			_, err := github.NewMembership(ctx, member.Username, &github.MembershipArgs{

diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -4,6 +4,7 @@ type Config struct {
 	Users        []User       `yaml:"users"`
 	Teams        []Team       `yaml:"teams"`
 	Repositories []Repository `yaml:"repositories"`
+	CustomRoles  []CustomRole `yaml:"repositoryRoles"`
 }
 
 type User struct {
@@ -95,3 +96,10 @@ type BranchProtection struct {
 	RequireBranchesUpToDate       bool     `yaml:"requireBranchesUpToDate"`
 	PushRestrictions              []string `yaml:"pushRestrictions"`
 }
+
+type CustomRole struct {
+	Name        string   `yaml:"name"`
+	BaseRole    string   `yaml:"baseRole"`
+	Description string   `yaml:"description"`
+	Permissions []string `yaml:"permissions"`
+}