Automating RBAC HTML Reports to PR Comments: Review-Driven Security in GitHub Actions
Keeping track of access control changes is hard — unless your CI does it for you. This guide shows how to: Generate a Role × Field matrix in HTML Detect diffs between dev and prod RBAC Auto-post a visual report as a comment on the related GitHub Pull Request No more guessing who can access what — reviewers get it inline and real-time. 1. Output Format: HTML Report Use your rbac-matrix.js or similar script to generate: node rbac-matrix.js metadata-dev/ > rbac-dev.csv node rbac-matrix.js metadata-prod/ > rbac-prod.csv node diff-rbac.js rbac-dev.csv rbac-prod.csv > rbac-diff.html Example table (simplified): RoleTableFieldDiff userinvoicesamountSELECT: Removed adminlogsip_addressINSERT: Added Wrap this with: RBAC Drift Report ...table here... 2. GitHub Actions Workflow Step 1: Prepare workflow file .github/workflows/rbac-report.yml name: RBAC Diff and PR Comment on: pull_request: paths: - 'metadata/**' jobs: rbac-diff: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Setup Node uses: actions/setup-node@v3 with: node-version: '18' - name: Install Deps run: npm install - name: Generate RBAC Diff Report run: | node rbac-matrix.js metadata-dev/ > rbac-dev.csv node rbac-matrix.js metadata-prod/ > rbac-prod.csv node diff-rbac.js rbac-dev.csv rbac-prod.csv > rbac-diff.html - name: Post Comment uses: peter-evans/create-or-update-comment@v4 with: token: ${{ secrets.GITHUB_TOKEN }} issue-number: ${{ github.event.pull_request.number }} body-path: ./rbac-diff.html edit-mode: replace
Keeping track of access control changes is hard — unless your CI does it for you.
This guide shows how to:
- Generate a Role × Field matrix in HTML
- Detect diffs between
devandprodRBAC - Auto-post a visual report as a comment on the related GitHub Pull Request
No more guessing who can access what — reviewers get it inline and real-time.
1. Output Format: HTML Report
Use your rbac-matrix.js or similar script to generate:
node rbac-matrix.js metadata-dev/ > rbac-dev.csv
node rbac-matrix.js metadata-prod/ > rbac-prod.csv
node diff-rbac.js rbac-dev.csv rbac-prod.csv > rbac-diff.html
Example table (simplified):
Role Table Field Diff user invoices amount style="color: red;">SELECT: Removed admin logs ip_address style="color: green;">INSERT: Added
Wrap this with:
RBAC Drift Report
...table here...
2. GitHub Actions Workflow
Step 1: Prepare workflow file .github/workflows/rbac-report.yml
name: RBAC Diff and PR Comment
on:
pull_request:
paths:
- 'metadata/**'
jobs:
rbac-diff:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: '18'
- name: Install Deps
run: npm install
- name: Generate RBAC Diff Report
run: |
node rbac-matrix.js metadata-dev/ > rbac-dev.csv
node rbac-matrix.js metadata-prod/ > rbac-prod.csv
node diff-rbac.js rbac-dev.csv rbac-prod.csv > rbac-diff.html
- name: Post Comment
uses: peter-evans/create-or-update-comment@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
issue-number: ${{ github.event.pull_request.number }}
body-path: ./rbac-diff.html
edit-mode: replace
