Add initial implementation of ClickHouse Cloud IP Whitelist GitHub Action

- Created action to automatically whitelist GitHub Actions runner IP in ClickHouse Cloud with cleanup.
- Added TypeScript support with configuration files (.tsconfig.json, .prettierrc.json, .eslint.config.mjs).
- Included example workflows for usage and testing.
- Implemented logging and error handling for IP management.
- Added necessary dependencies and scripts in package.json.
- Created README.md with usage instructions and best practices.
- Added .gitignore and .prettierignore files for project cleanliness.

Author: merrcury

.github/workflows/example.yml

@@ -0,0 +1,34 @@
+name: Example Usage
+
+on:
+  workflow_dispatch:
+
+jobs:
+  example:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Whitelist Runner IP
+        id: whitelist
+        uses: ./
+        with:
+          clickhouse-org-id: ${{ secrets.CLICKHOUSE_ORG_ID }}
+          clickhouse-service-id: ${{ secrets.CLICKHOUSE_SERVICE_ID }}
+          clickhouse-api-key-id: ${{ secrets.CLICKHOUSE_API_KEY_ID }}
+          clickhouse-api-key-secret: ${{ secrets.CLICKHOUSE_API_KEY_SECRET }}
+
+      - name: Display whitelisted IP
+        run: |
+          echo "Runner IP whitelisted: ${{ steps.whitelist.outputs.runner-ip }}"
+
+      - name: Simulate ClickHouse operations
+        run: |
+          echo "Performing database operations..."
+          sleep 5
+          echo "Operations complete!"
+
+      # Cleanup happens automatically here
+      # The IP will be removed from the allowlist
+

.github/workflows/test.yml

@@ -0,0 +1,48 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run format check
+        run: npm run format-check
+
+      - name: Run linter
+        run: npm run lint
+
+      - name: Run tests
+        run: npm test
+
+      - name: Build
+        run: npm run build
+
+      - name: Bundle
+        run: npm run bundle
+
+      - name: Check for uncommitted changes
+        run: |
+          if [ -n "$(git status --porcelain)" ]; then
+            echo "Uncommitted changes found in dist/ directory!"
+            echo "Please run 'npm run bundle' and commit the changes."
+            git status --porcelain
+            exit 1
+          fi
+

.gitignore

@@ -0,0 +1,34 @@
+# Dependency directories
+node_modules/
+
+# TypeScript build output
+# NOTE: dist/ is NOT ignored because GitHub Actions needs it!
+# The bundled JS files in dist/ must be committed to the repo
+*.tsbuildinfo
+
+# Test coverage
+coverage/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Environment variables
+.env
+.env.local
+.env.*.local
+
+# Logs
+logs/
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+

.prettierignore

@@ -0,0 +1,5 @@
+node_modules/
+dist/
+coverage/
+*.min.js
+

.prettierrc.json

@@ -0,0 +1,9 @@
+{
+  "semi": false,
+  "trailingComma": "none",
+  "singleQuote": true,
+  "printWidth": 80,
+  "tabWidth": 2,
+  "arrowParens": "avoid"
+}
+

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Noti-fire Apps Ltd.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,174 @@
+# ClickHouse Cloud IP Whitelist Action
+
+A GitHub Action that automatically whitelists your GitHub Actions runner IP address in ClickHouse Cloud, with automatic cleanup after your job completes.
+
+## Features
+
+- 🔐 **Automatic IP Whitelisting**: Adds the current runner's IP to your ClickHouse Cloud service allowlist
+- 🧹 **Automatic Cleanup**: Removes the IP from the allowlist when the job completes (even if it fails)
+- 🚀 **Zero Configuration**: Just provide your ClickHouse credentials
+- ✅ **Secure**: Uses ClickHouse Cloud API with proper authentication
+
+## Usage
+
+### Prerequisites
+
+You'll need the following from ClickHouse Cloud:
+- Organization ID
+- Service ID
+- API Key ID
+- API Key Secret
+
+### Basic Example
+
+```yaml
+name: ClickHouse Migration
+
+on: [push]
+
+jobs:
+  migrate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Whitelist Runner IP
+        uses: your-username/clickhouse-cloud-whitelist-ip@v1
+        with:
+          clickhouse-org-id: ${{ secrets.CLICKHOUSE_ORG_ID }}
+          clickhouse-service-id: ${{ secrets.CLICKHOUSE_SERVICE_ID }}
+          clickhouse-api-key-id: ${{ secrets.CLICKHOUSE_API_KEY_ID }}
+          clickhouse-api-key-secret: ${{ secrets.CLICKHOUSE_API_KEY_SECRET }}
+
+      - name: Run Database Operations
+        run: |
+          # Your ClickHouse operations here
+          # The runner IP is now whitelisted!
+          
+      # IP is automatically removed from allowlist after job completes
+```
+
+### Using the Output
+
+The action outputs the whitelisted IP address:
+
+```yaml
+- name: Whitelist Runner IP
+  id: whitelist
+  uses: your-username/clickhouse-cloud-whitelist-ip@v1
+  with:
+    clickhouse-org-id: ${{ secrets.CLICKHOUSE_ORG_ID }}
+    clickhouse-service-id: ${{ secrets.CLICKHOUSE_SERVICE_ID }}
+    clickhouse-api-key-id: ${{ secrets.CLICKHOUSE_API_KEY_ID }}
+    clickhouse-api-key-secret: ${{ secrets.CLICKHOUSE_API_KEY_SECRET }}
+
+- name: Show IP
+  run: echo "Runner IP is ${{ steps.whitelist.outputs.runner-ip }}"
+```
+
+## Inputs
+
+| Input | Description | Required |
+|-------|-------------|----------|
+| `clickhouse-org-id` | ClickHouse Cloud Organization ID | Yes |
+| `clickhouse-service-id` | ClickHouse Cloud Service ID | Yes |
+| `clickhouse-api-key-id` | ClickHouse Cloud API Key ID | Yes |
+| `clickhouse-api-key-secret` | ClickHouse Cloud API Key Secret | Yes |
+
+## Outputs
+
+| Output | Description |
+|--------|-------------|
+| `runner-ip` | The IP address of the GitHub Actions runner that was whitelisted |
+
+## How It Works
+
+1. **Main Step**: 
+   - Fetches the current runner's public IP address using ipify.org
+   - Adds the IP (as a /32 CIDR) to your ClickHouse Cloud service's IP allowlist
+   - Saves the IP and credentials to action state
+   - Outputs the IP address
+
+2. **Cleanup Step** (runs automatically at job end):
+   - Retrieves the IP from action state
+   - Removes the IP from the allowlist
+   - Runs even if the job fails (using `post-if: always()`)
+
+## Security Best Practices
+
+1. **Store credentials as GitHub Secrets**: Never hardcode your ClickHouse credentials in workflows
+2. **Use environment-specific secrets**: Create separate API keys for different environments
+3. **Limit API key permissions**: Use the minimum required permissions for your API keys
+4. **Monitor access logs**: Regularly check your ClickHouse Cloud access logs
+
+## Troubleshooting
+
+### IP not whitelisted
+
+If you see connection errors:
+1. Check that all four credentials are correct
+2. Verify your service ID is correct
+3. Ensure your API key has permissions to modify IP allowlists
+
+### Cleanup not running
+
+The cleanup step runs automatically using GitHub Actions' `post` lifecycle. It will:
+- Run even if previous steps fail
+- Only log warnings if cleanup fails (won't fail the job)
+
+## Development
+
+### Building
+
+```bash
+# Install dependencies
+npm install
+
+# Build TypeScript
+npm run build
+
+# Bundle for distribution
+npm run bundle
+
+# Run all checks (format, lint, test, bundle)
+npm run all
+```
+
+### Testing Locally
+
+You can test the action locally using the `@github/local-action` utility:
+
+```bash
+# Create a .env file with your credentials (see .env.example)
+# Then run:
+npx @github/local-action . src/main.ts .env
+```
+
+### Project Structure
+
+```
+.
+├── src/
+│   ├── main.ts      # Main action (adds IP to allowlist)
+│   └── cleanup.ts   # Cleanup action (removes IP from allowlist)
+├── dist/            # Compiled JavaScript (committed to repo)
+├── action.yml       # Action metadata
+├── package.json     # Dependencies and scripts
+└── tsconfig.json    # TypeScript configuration
+```
+
+## Contributing
+
+Contributions are welcome! Please feel free to submit a Pull Request.
+
+## License
+
+MIT
+
+## Acknowledgments
+
+- Built with [actions/toolkit](https://github.com/actions/toolkit)
+- IP detection via [ipify.org](https://www.ipify.org/)
+- Template from [actions/typescript-action](https://github.com/actions/typescript-action)
+

__tests__/main.test.ts

@@ -0,0 +1,9 @@
+describe('ClickHouse Cloud IP Whitelist Action', () => {
+  it('should be testable', () => {
+    expect(true).toBe(true)
+  })
+
+  // Add more tests here as needed
+  // Mock the @actions/core module for unit testing
+  // Mock fetch calls to test API interactions
+})

action.yml

@@ -0,0 +1,32 @@
+name: 'ClickHouse Cloud IP Whitelist'
+description: 'Automatically whitelist GitHub Actions runner IP in ClickHouse Cloud with cleanup'
+author: 'Noti-fire Apps Ltd.'
+
+branding:
+  icon: 'lock'
+  color: 'yellow'
+
+inputs:
+  clickhouse-org-id:
+    description: 'ClickHouse Cloud Organization ID'
+    required: true
+  clickhouse-service-id:
+    description: 'ClickHouse Cloud Service ID'
+    required: true
+  clickhouse-api-key-id:
+    description: 'ClickHouse Cloud API Key ID'
+    required: true
+  clickhouse-api-key-secret:
+    description: 'ClickHouse Cloud API Key Secret'
+    required: true
+
+outputs:
+  runner-ip:
+    description: 'The IP address of the GitHub Actions runner that was whitelisted'
+
+runs:
+  using: 'node20'
+  main: 'dist/index.js'
+  post: 'dist/cleanup.js'
+  post-if: 'always()'
+

dist/cleanup.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=cleanup.d.ts.map