🩹 [Patch]: Add Fine-Grained Permissions Data for GitHub PowerShell Module (#501)

Copilot · MariusStorhaug · web-flow · commit fff966da86a2 · 2025-09-09T15:17:24.000+02:00
This PR implements a comprehensive fine-grained permissions data infrastructure for the GitHub PowerShell module, enabling detection of GitHub App installations that may be missing newly added permissions. - Fixes #485 ## What's New ### GitHubPermission Class Added a new public `GitHubPermission` class with the following properties: - **Name** - Programmatic permission name (e.g., `contents`, `issues`) - **DisplayName** - Human-friendly name (e.g., "Contents", "Issues") - **Description** - Brief description of what access the permission grants - **URL** - Link to relevant GitHub documentation - **Options** - Available access levels (`read`, `write`, `admin`) - **Type** - Permission type (`Fine-grained`, `Classic`) - **Scope** - Application scope (`Repository`, `Organization`, `User`, `Enterprise`) ### Comprehensive Permissions Database Added 90 fine-grained permissions covering all major GitHub permission categories: - **33 Repository permissions** - actions, contents, issues, pull_requests, secrets, etc. - **33 Organization permissions** - members, administration, organization_secrets, etc. - **18 User permissions** - profile, followers, git_ssh_keys, etc. - **6 Enterprise permissions** - custom properties, organization installation, etc. ### Get-GitHubPermissionDefinition Function New public function to query the permissions database with advanced filtering: ```powershell # Get all permissions Get-GitHubPermissionDefinition # Filter by scope Get-GitHubPermissionDefinition -Scope Repository # Combined filtering Get-GitHubPermissionDefinition -Type Fine-grained -Scope Organization # Find specific permissions Get-GitHubPermissionDefinition -Name 'contents' ``` ### Argument Completers Added argument completers for `Get-GitHubPermissionDefinition` parameters to improve user experience: - **Name** - Tab completion for available permission names (actions, contents, issues, etc.) - **DisplayName** - Tab completion for available permission display names (Actions, Dependabot alerts, etc.) - **Type** - Tab completion for available permission types (Fine-grained) - **Scope** - Tab completion for available scopes (Repository, Organization, User, Enterprise) ## Use Cases This infrastructure enables several key scenarios: 1. **Permission Validation** - Compare GitHub App installations against the complete permissions list 2. **Installation Health Checks** - Detect apps missing newly added permissions 3. **Documentation** - Provide users with comprehensive permission reference 4. **Automation** - Build tools that ensure installations stay current with permission requirements 5. **Enhanced User Experience** - Tab completion for parameter values improves usability ## Implementation Details - **File path permissions excluded** - These are handled differently by the GitHub API (appear under `FilePaths` property rather than as named permissions) - **Maintainable structure** - Easy to update when GitHub adds new permissions - **Performance optimized** - Efficient filtering and lookup operations - **Comprehensive testing** - Full test coverage for all functionality - **Argument completion** - Improves user experience with tab completion support ## Example Usage ```powershell # Check what repository permissions are available (with tab completion) $repoPerms = Get-GitHubPermissionDefinition -Scope <TAB> Write-Host "Repository permissions: $($repoPerms.Count)" # Get details about the contents permission (with tab completion) $contents = Get-GitHubPermissionDefinition -Name cont<TAB> Write-Host "$($contents.DisplayName): $($contents.Description)" Write-Host "Available options: $($contents.Options -join ', ')" ``` This provides the foundation for building automated permission management tools and ensuring GitHub App installations remain up-to-date with the latest permission requirements. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: MariusStorhaug <17722253+MariusStorhaug@users.noreply.github.com> Co-authored-by: Marius Storhaug <marstor@hotmail.com>
diff --git a/src/classes/public/GitHubPermissionDefinition.ps1 b/src/classes/public/GitHubPermissionDefinition.ps1
@@ -0,0 +1,46 @@
+class GitHubPermissionDefinition {
+    # The programmatic name of the permission as returned by the GitHub API
+    [string] $Name
+
+    # The human-friendly name of the permission as shown in the GitHub UI
+    [string] $DisplayName
+
+    # A brief description of what access the permission grants
+    [string] $Description
+
+    # A link to the relevant documentation or GitHub UI page
+    [uri] $URL
+
+    # The levels of access that can be granted for this permission
+    [string[]] $Options
+
+    # The type of permission (Fine-grained, Classic)
+    [string] $Type
+
+    # The scope at which this permission applies (Repository, Organization, User, Enterprise)
+    [string] $Scope
+
+    GitHubPermissionDefinition() {}
+
+    GitHubPermissionDefinition(
+        [string]$Name,
+        [string]$DisplayName,
+        [string]$Description,
+        [string]$URL,
+        [string[]]$Options,
+        [string]$Type,
+        [string]$Scope
+    ) {
+        $this.Name = $Name
+        $this.DisplayName = $DisplayName
+        $this.Description = $Description
+        $this.URL = [uri]$URL
+        $this.Options = $Options
+        $this.Type = $Type
+        $this.Scope = $Scope
+    }
+
+    [string] ToString() {
+        return $this.Name
+    }
+}
diff --git a/src/formats/GitHubPermissionDefinition.Format.ps1xml b/src/formats/GitHubPermissionDefinition.Format.ps1xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Configuration>
+    <ViewDefinitions>
+        <View>
+            <Name>GitHubPermissionDefinitionTable</Name>
+            <ViewSelectedBy>
+                <TypeName>GitHubPermissionDefinition</TypeName>
+            </ViewSelectedBy>
+            <TableControl>
+                <TableHeaders>
+                    <TableColumnHeader>
+                        <Label>Scope</Label>
+                    </TableColumnHeader>
+                    <TableColumnHeader>
+                        <Label>DisplayName</Label>
+                    </TableColumnHeader>
+                    <TableColumnHeader>
+                        <Label>Description</Label>
+                    </TableColumnHeader>
+                </TableHeaders>
+                <TableRowEntries>
+                    <TableRowEntry>
+                        <TableColumnItems>
+                            <TableColumnItem>
+                                <PropertyName>Scope</PropertyName>
+                            </TableColumnItem>
+                            <TableColumnItem>
+                                <ScriptBlock>
+                                    if ($Host.UI.SupportsVirtualTerminal -and
+                                    ($env:GITHUB_ACTIONS -ne 'true') -and $_.Url) {
+                                    $PSStyle.FormatHyperlink($_.DisplayName, $_.Url)
+                                    } else {
+                                    $_.DisplayName
+                                    }
+                                </ScriptBlock>
+                            </TableColumnItem>
+                            <TableColumnItem>
+                                <PropertyName>Description</PropertyName>
+                            </TableColumnItem>
+                        </TableColumnItems>
+                    </TableRowEntry>
+                </TableRowEntries>
+            </TableControl>
+        </View>
+    </ViewDefinitions>
+</Configuration>
diff --git a/src/functions/public/Permission/Get-GitHubPermissionDefinition.ps1 b/src/functions/public/Permission/Get-GitHubPermissionDefinition.ps1
@@ -0,0 +1,104 @@
+function Get-GitHubPermissionDefinition {
+    <#
+        .SYNOPSIS
+        Retrieves GitHub permission definitions
+
+        .DESCRIPTION
+        Gets the list of GitHub permission definitions from the module's internal data store.
+        This includes fine-grained permissions for repositories, organizations, and user accounts.
+        The function supports filtering by permission type and scope to help you find specific permissions.
+
+        File path-specific permissions are excluded from this list as they are handled differently
+        by the GitHub API (they appear under the FilePaths property in installation data rather
+        than as named permissions).
+
+        .EXAMPLE
+        Get-GitHubPermissionDefinition
+
+        Gets all permission definitions.
+
+        .EXAMPLE
+        Get-GitHubPermissionDefinition -Type Fine-grained
+
+        Gets all fine-grained permission definitions.
+
+        .EXAMPLE
+        Get-GitHubPermissionDefinition -Scope Repository
+
+        Gets all permission definitions that apply to repository scope.
+
+        .EXAMPLE
+        Get-GitHubPermissionDefinition -Type Fine-grained -Scope Organization
+
+        Gets all fine-grained permission definitions that apply to organization scope.
+
+        .EXAMPLE
+        Get-GitHubPermissionDefinition -Name contents
+
+        Gets the specific permission definition for 'contents' permission.
+
+        .NOTES
+        This function provides access to a curated list of GitHub permission definitions maintained within the module.
+        The data includes permission names, display names, descriptions, available options, and scopes.
+
+        File path permissions are excluded from this list as they are handled differently by the GitHub API.
+        These permissions are user-specified paths with read/write access that appear in the FilePaths
+        property of GitHub App installation data, not as standard named permissions.
+
+        .LINK
+        https://psmodule.io/GitHub/Functions/Permission/Get-GitHubPermissionDefinition
+    #>
+    [OutputType([GitHubPermissionDefinition[]])]
+    [CmdletBinding()]
+    param(
+        # Filter by permission name (supports multiple values & wildcards)
+        [Parameter()]
+        [string[]] $Name = '*',
+
+        # Filter by permission display name (supports multiple values & wildcards)
+        [Parameter()]
+        [string[]] $DisplayName = '*',
+
+        # Filter by permission type (supports multiple values & wildcards)
+        [Parameter()]
+        [string[]] $Type = '*',
+
+        # Filter by permission scope (supports multiple values & wildcards)
+        [Parameter()]
+        [string[]] $Scope = '*'
+    )
+
+    begin {
+        $stackPath = Get-PSCallStackPath
+        Write-Debug "[$stackPath] - Start"
+    }
+
+    process {
+        try {
+            [scriptblock]$test = {
+                param(
+                    [Parameter(Mandatory)][string] $Value,
+                    [Parameter(Mandatory)][string[]] $Patterns
+                )
+                foreach ($p in $Patterns) {
+                    if ($Value -like $p) { return $true }
+                }
+                return $false
+            }
+
+            $script:GitHub.Permissions | Where-Object {
+                (& $test -Value $_.Name -Patterns $Name) -and
+                (& $test -Value $_.DisplayName -Patterns $DisplayName) -and
+                (& $test -Value $_.Type -Patterns $Type) -and
+                (& $test -Value $_.Scope -Patterns $Scope)
+            }
+        } catch {
+            Write-Error "Failed to retrieve GitHub permission definitions: $($_.Exception.Message)"
+            throw
+        }
+    }
+
+    end {
+        Write-Debug "[$stackPath] - End"
+    }
+}
diff --git a/src/functions/public/Permission/completers.ps1 b/src/functions/public/Permission/completers.ps1
@@ -0,0 +1,35 @@
+﻿Register-ArgumentCompleter -CommandName Get-GitHubPermissionDefinition -ParameterName Name -ScriptBlock {
+    param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
+    $null = $commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters
+
+    $script:GitHub.Permissions.Name | Sort-Object -Unique | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+        [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
+    }
+}
+
+Register-ArgumentCompleter -CommandName Get-GitHubPermissionDefinition -ParameterName DisplayName -ScriptBlock {
+    param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
+    $null = $commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters
+
+    $script:GitHub.Permissions.DisplayName | Sort-Object -Unique | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+        [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
+    }
+}
+
+Register-ArgumentCompleter -CommandName Get-GitHubPermissionDefinition -ParameterName Type -ScriptBlock {
+    param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
+    $null = $commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters
+
+    $script:GitHub.Permissions.Type | Sort-Object -Unique | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+        [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
+    }
+}
+
+Register-ArgumentCompleter -CommandName Get-GitHubPermissionDefinition -ParameterName Scope -ScriptBlock {
+    param($commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters)
+    $null = $commandName, $parameterName, $wordToComplete, $commandAst, $fakeBoundParameters
+
+    $script:GitHub.Permissions.Scope | Sort-Object -Unique | Where-Object { $_ -like "$wordToComplete*" } | ForEach-Object {
+        [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
+    }
+}
diff --git a/src/variables/private/GitHub.ps1 b/src/variables/private/GitHub.ps1
diff --git a/tests/Permissions.Tests.ps1 b/tests/Permissions.Tests.ps1
