npalm/config.yml Secret

## config.yml
org: 040code
repository: <the-admin-jit-repo>
supportedOrgs:
  - 040code
reportPath: reports

## demotion-workflow.yml
name: Demote a user
on:
  issues:
    types: [closed]

jobs:
  demote-workflow:
    name: Demoting a user for closing an issue
    runs-on: ubuntu-latest
    permissions:
      issues: write
      contents: write
    env:
      GH_TOKEN: ${{ github.token }}
      DEMOTION_ERROR_NOTIFY: "@npalm"

    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - uses: philips-software/app-token-action@v1.1.2
        id: get_token
        with:
          app_id: ${{ secrets.APP_ID }}
          app_base64_private_key: ${{ secrets.APP_PRIVATE_KEY_BASE64 }}
          auth_type: installation

      - name: Add label automation-running
        if: always()
        run: gh issue edit --add-label automation-running ${{ github.event.issue.number }}

      - name: Parse the issue submitted
        id: issue_parser
        uses: 040code/admin-support-issueops-actions/admin-support-cli@main
        with:
          action: "parse_issue"
          issue_number: ${{ github.event.issue.number }}
          ticket: ${{ github.event.issue.number }}

      - name: Parse issue_parser json output
        id: parse_issue_output
        run: |
          target_org=$(echo ${{toJSON(steps.issue_parser.outputs.output)}} | jq -r .target_org)
          description=$(echo ${{toJSON(steps.issue_parser.outputs.output)}} | jq -r .description)
          duration=$(echo ${{toJSON(steps.issue_parser.outputs.output)}} | jq -r .duration)
          echo "target_org=$target_org" >> $GITHUB_OUTPUT
          echo "description=$description" >> $GITHUB_OUTPUT
          echo "duration=$duration" >> $GITHUB_OUTPUT

      - name: Demote user
        id: demote_admin
        uses: 040code/admin-support-issueops-actions/admin-support-cli@main
        continue-on-error: true
        with:
          action: "promote_demote"
          username: ${{ github.event.issue.user.login }}
          target_org: ${{ steps.parse_issue_output.outputs.target_org }}
          role: "member"
          admin_token: ${{ steps.get_token.outputs.token }}

      - name: Add a comment on the issue to confirm the demotion
        uses: actions/github-script@v6
        if: success()
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          script: |
            await github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `✅ &nbsp; We have executed the request and now the user **@${{github.event.issue.user.login}}** has been demoted from ${{steps.parse_issue_output.outputs.target_org}}. \n\n This issue will be locked to avoid new interactions

              <sub>
                Find details of the automation <a href="https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${{github.run_id}}">here</a>.
              </sub>
              `
            })
            await github.rest.issues.lock({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo
            })

      - name: Add a comment to notify the team that this automation failed
        uses: actions/github-script@v6
        if: failure()
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          script: |
            await github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `Demoting the user has failed. ${{env.DEMOTION_ERROR_NOTIFY}} have a look to make sure the user is left in a correct state.

              <sub>
                Find details of the automation <a href="https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${{github.run_id}}">here</a>.
              </sub>
              `
            })

      - name: Add labels user-demoted, manual-demotion
        if: ${{ success() && github.event.sender.login == github.event.issue.user.login }}
        run: |
          gh issue edit --add-label user-demoted ${{ github.event.issue.number }}
          gh issue edit --add-label manual-demotion ${{ github.event.issue.number }}

      - name: Add labels user-demoted, manual-demotion
        if: ${{ success() && github.event.sender.login != github.event.issue.user.login }}
        run: |
          gh issue edit --add-label user-demoted ${{ github.event.issue.number }}
          gh issue edit --add-label automatic-demotion ${{ github.event.issue.number }}

      - name: Remove label user-promoted
        if: success()
        run: gh issue edit --remove-label user-promoted ${{ github.event.issue.number }}

      - name: Remove label automation-running
        if: always()
        run: gh issue edit --remove-label automation-running ${{ github.event.issue.number }}

## promotion-workflow.yml
name: Promotion workflow
on:
  issues:
    types: [opened]

jobs:
  promote-workflow:
    name: Promote @${{ github.event.issue.user.login }} to admin
    runs-on: ubuntu-latest
    permissions:
      issues: write
      contents: read
    env:
      GH_TOKEN: ${{ github.token }}

    steps:
      - uses: actions/checkout@v3
      - uses: philips-software/app-token-action@v1.1.2 #1
        id: get_token
        with:
          app_id: ${{ secrets.APP_ID }}
          app_base64_private_key: ${{ secrets.APP_PRIVATE_KEY_BASE64 }}
          auth_type: installation

      - name: Add label automation-running
        if: always()
        run: gh issue edit --add-label automation-running ${{ github.event.issue.number }}

      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Parse the issue submitted
        id: issue_parser
        uses: 040code/admin-support-issueops-actions/admin-support-cli@main
        with:
          action: "parse_issue"
          issue_number: ${{ github.event.issue.number }}
          ticket: ${{ github.event.issue.number }}

      - name: Parse issue parser output
        id: parse_issue_output
        run: |
          target_org=$(echo ${{toJSON(steps.issue_parser.outputs.output)}} | jq -r .target_org)
          echo "target_org=$target_org" >> $GITHUB_OUTPUT

      - name: Grant admin access
        id: grant_admin
        uses: 040code/admin-support-issueops-actions/admin-support-cli@main
        with:
          action: "promote_demote"
          username: ${{ github.event.issue.user.login }}
          target_org: ${{ steps.parse_issue_output.outputs.target_org }}
          role: "admin"
          admin_token: ${{ steps.get_token.outputs.token }} #3

      - name: Add a comment on the issue
        uses: actions/github-script@v6
        if: success()
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }} #2
          script: |
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `✅ &nbsp; We have executed the request and now the user **@${{github.event.issue.user.login}}** is an admin on ${{steps.parse_issue_output.outputs.target_org}}. When you finish the operations required by the support ticket, close this issue to demote your permissions.

              <sub>
                Find details of the automation <a href="https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${{github.run_id}}">here</a>.
              </sub>
              `
            })

      - name: Add label user-promoted
        if: success()
        run: gh issue edit --add-label user-promoted ${{ github.event.issue.number }}

      - name: Add label promotion-error
        if: failure()
        run: gh issue edit --add-label promotion-error ${{ github.event.issue.number }}

      - name: Close issue if the promotion fails
        uses: actions/github-script@v6
        if: failure()
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            github.rest.issues.update({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              state: 'closed'
            })
            github.rest.issues.lock({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo
            })

      - name: Remove label automation-running
        if: always()
        run: gh issue edit --remove-label automation-running ${{ github.event.issue.number }}

## request-admin-access-issue-template.yml
---
name: Request administrator permission in the organization
about: Allows the support team to request a temporary admin permission in an organization
title: Request administrator permission
labels: ''
assignees: ''
---

Organization: 040code
Description:
Duration: 2
Ticket: 0

## timer-workflow.yml
name: Provisioning check to see if a user needs to be demoted
on:
  workflow_dispatch:

jobs:
  provisioning-check:
    name: Close issues with expired duration
    runs-on: ubuntu-latest
    steps:
      - uses: philips-software/app-token-action@v1.1.2
        id: get_token
        with:
          app_id: ${{ secrets.APP_ID }}
          app_base64_private_key: ${{ secrets.APP_PRIVATE_KEY_BASE64 }}
          auth_type: installation

      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Run through all the issues and close them if they are expired
        id: issue_parser
        uses: 040code/admin-support-issueops-actions/admin-support-cli@main
        with:
          action: "check_auto_demotion"
          ticket: ${{ github.event.issue.number }}
          # Require a non default action token, otherwise it won't trigger a job on issue close
          admin_token: ${{ steps.get_token.outputs.token }}
	org: 040code
	repository: <the-admin-jit-repo>
	supportedOrgs:
	- 040code
	reportPath: reports
	name: Demote a user
	on:
	issues:
	types: [closed]

	jobs:
	demote-workflow:
	name: Demoting a user for closing an issue
	runs-on: ubuntu-latest
	permissions:
	issues: write
	contents: write
	env:
	GH_TOKEN: ${{ github.token }}
	DEMOTION_ERROR_NOTIFY: "@npalm"

	steps:
	- name: Checkout repository
	uses: actions/checkout@v3

	- uses: philips-software/app-token-action@v1.1.2
	id: get_token
	with:
	app_id: ${{ secrets.APP_ID }}
	app_base64_private_key: ${{ secrets.APP_PRIVATE_KEY_BASE64 }}
	auth_type: installation

	- name: Add label automation-running
	if: always()
	run: gh issue edit --add-label automation-running ${{ github.event.issue.number }}

	- name: Parse the issue submitted
	id: issue_parser
	uses: 040code/admin-support-issueops-actions/admin-support-cli@main
	with:
	action: "parse_issue"
	issue_number: ${{ github.event.issue.number }}
	ticket: ${{ github.event.issue.number }}

	- name: Parse issue_parser json output
	id: parse_issue_output
	run: \|
	target_org=$(echo ${{toJSON(steps.issue_parser.outputs.output)}} \| jq -r .target_org)
	description=$(echo ${{toJSON(steps.issue_parser.outputs.output)}} \| jq -r .description)
	duration=$(echo ${{toJSON(steps.issue_parser.outputs.output)}} \| jq -r .duration)
	echo "target_org=$target_org" >> $GITHUB_OUTPUT
	echo "description=$description" >> $GITHUB_OUTPUT
	echo "duration=$duration" >> $GITHUB_OUTPUT

	- name: Demote user
	id: demote_admin
	uses: 040code/admin-support-issueops-actions/admin-support-cli@main
	continue-on-error: true
	with:
	action: "promote_demote"
	username: ${{ github.event.issue.user.login }}
	target_org: ${{ steps.parse_issue_output.outputs.target_org }}
	role: "member"
	admin_token: ${{ steps.get_token.outputs.token }}

	- name: Add a comment on the issue to confirm the demotion
	uses: actions/github-script@v6
	if: success()
	with:
	github-token: ${{secrets.GITHUB_TOKEN}}
	script: \|
	await github.rest.issues.createComment({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	body: `✅   We have executed the request and now the user @${{github.event.issue.user.login}} has been demoted from ${{steps.parse_issue_output.outputs.target_org}}. \n\n This issue will be locked to avoid new interactions

	<sub>
	Find details of the automation <a href="https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${{github.run_id}}">here</a>.
	</sub>
	`
	})
	await github.rest.issues.lock({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo
	})

	- name: Add a comment to notify the team that this automation failed
	uses: actions/github-script@v6
	if: failure()
	with:
	github-token: ${{secrets.GITHUB_TOKEN}}
	script: \|
	await github.rest.issues.createComment({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	body: `Demoting the user has failed. ${{env.DEMOTION_ERROR_NOTIFY}} have a look to make sure the user is left in a correct state.

	<sub>
	Find details of the automation <a href="https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${{github.run_id}}">here</a>.
	</sub>
	`
	})

	- name: Add labels user-demoted, manual-demotion
	if: ${{ success() && github.event.sender.login == github.event.issue.user.login }}
	run: \|
	gh issue edit --add-label user-demoted ${{ github.event.issue.number }}
	gh issue edit --add-label manual-demotion ${{ github.event.issue.number }}

	- name: Add labels user-demoted, manual-demotion
	if: ${{ success() && github.event.sender.login != github.event.issue.user.login }}
	run: \|
	gh issue edit --add-label user-demoted ${{ github.event.issue.number }}
	gh issue edit --add-label automatic-demotion ${{ github.event.issue.number }}

	- name: Remove label user-promoted
	if: success()
	run: gh issue edit --remove-label user-promoted ${{ github.event.issue.number }}

	- name: Remove label automation-running
	if: always()
	run: gh issue edit --remove-label automation-running ${{ github.event.issue.number }}
	name: Promotion workflow
	on:
	issues:
	types: [opened]

	jobs:
	promote-workflow:
	name: Promote @${{ github.event.issue.user.login }} to admin
	runs-on: ubuntu-latest
	permissions:
	issues: write
	contents: read
	env:
	GH_TOKEN: ${{ github.token }}

	steps:
	- uses: actions/checkout@v3
	- uses: philips-software/app-token-action@v1.1.2 #1
	id: get_token
	with:
	app_id: ${{ secrets.APP_ID }}
	app_base64_private_key: ${{ secrets.APP_PRIVATE_KEY_BASE64 }}
	auth_type: installation

	- name: Add label automation-running
	if: always()
	run: gh issue edit --add-label automation-running ${{ github.event.issue.number }}

	- name: Checkout repository
	uses: actions/checkout@v3

	- name: Parse the issue submitted
	id: issue_parser
	uses: 040code/admin-support-issueops-actions/admin-support-cli@main
	with:
	action: "parse_issue"
	issue_number: ${{ github.event.issue.number }}
	ticket: ${{ github.event.issue.number }}

	- name: Parse issue parser output
	id: parse_issue_output
	run: \|
	target_org=$(echo ${{toJSON(steps.issue_parser.outputs.output)}} \| jq -r .target_org)
	echo "target_org=$target_org" >> $GITHUB_OUTPUT

	- name: Grant admin access
	id: grant_admin
	uses: 040code/admin-support-issueops-actions/admin-support-cli@main
	with:
	action: "promote_demote"
	username: ${{ github.event.issue.user.login }}
	target_org: ${{ steps.parse_issue_output.outputs.target_org }}
	role: "admin"
	admin_token: ${{ steps.get_token.outputs.token }} #3

	- name: Add a comment on the issue
	uses: actions/github-script@v6
	if: success()
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }} #2
	script: \|
	github.rest.issues.createComment({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	body: `✅   We have executed the request and now the user @${{github.event.issue.user.login}} is an admin on ${{steps.parse_issue_output.outputs.target_org}}. When you finish the operations required by the support ticket, close this issue to demote your permissions.

	<sub>
	Find details of the automation <a href="https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${{github.run_id}}">here</a>.
	</sub>
	`
	})

	- name: Add label user-promoted
	if: success()
	run: gh issue edit --add-label user-promoted ${{ github.event.issue.number }}

	- name: Add label promotion-error
	if: failure()
	run: gh issue edit --add-label promotion-error ${{ github.event.issue.number }}

	- name: Close issue if the promotion fails
	uses: actions/github-script@v6
	if: failure()
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	script: \|
	github.rest.issues.update({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	state: 'closed'
	})
	github.rest.issues.lock({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo
	})

	- name: Remove label automation-running
	if: always()
	run: gh issue edit --remove-label automation-running ${{ github.event.issue.number }}
	---
	name: Request administrator permission in the organization
	about: Allows the support team to request a temporary admin permission in an organization
	title: Request administrator permission
	labels: ''
	assignees: ''
	---

	Organization: 040code
	Description:
	Duration: 2
	Ticket: 0
	name: Provisioning check to see if a user needs to be demoted
	on:
	workflow_dispatch:

	jobs:
	provisioning-check:
	name: Close issues with expired duration
	runs-on: ubuntu-latest
	steps:
	- uses: philips-software/app-token-action@v1.1.2
	id: get_token
	with:
	app_id: ${{ secrets.APP_ID }}
	app_base64_private_key: ${{ secrets.APP_PRIVATE_KEY_BASE64 }}
	auth_type: installation

	- name: Checkout repository
	uses: actions/checkout@v3

	- name: Run through all the issues and close them if they are expired
	id: issue_parser
	uses: 040code/admin-support-issueops-actions/admin-support-cli@main
	with:
	action: "check_auto_demotion"
	ticket: ${{ github.event.issue.number }}
	# Require a non default action token, otherwise it won't trigger a job on issue close
	admin_token: ${{ steps.get_token.outputs.token }}