arazzo: 1.0.1
info:
  title: JFrog Grant Repository Permission
  summary: Create a permission target granting a group access to a repository.
  description: >-
    Access control in Artifactory is expressed through permission targets. The
    workflow confirms the target repository exists, creates or replaces a
    permission target granting a group read and write on that repository, then
    reads the permission target back to confirm it was stored. Every step spells
    out its request inline so the flow can be read and executed without opening
    the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: artifactoryApi
  url: ../openapi/jfrog-artifactory-openapi.yml
  type: openapi
workflows:
- workflowId: grant-repository-permission
  summary: Grant a group read/write on a repository via a permission target.
  description: >-
    Verifies the repository, creates a permission target binding the group to
    read and write actions on it, then fetches the target to confirm.
  inputs:
    type: object
    required:
    - permissionTargetName
    - repoKey
    - groupName
    properties:
      permissionTargetName:
        type: string
        description: The name of the permission target to create.
      repoKey:
        type: string
        description: The repository key the permission applies to.
      groupName:
        type: string
        description: The group to grant read and write to.
  steps:
  - stepId: confirmRepo
    description: >-
      Confirm the target repository exists before binding a permission target to
      it.
    operationId: getRepository
    parameters:
    - name: repoKey
      in: path
      value: $inputs.repoKey
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      key: $response.body#/key
  - stepId: createPermissionTarget
    description: >-
      Create or replace the permission target granting the group read and write
      on the repository.
    operationId: createOrReplacePermissionTarget
    parameters:
    - name: permissionTargetName
      in: path
      value: $inputs.permissionTargetName
    requestBody:
      contentType: application/json
      payload:
        name: $inputs.permissionTargetName
        repo:
          repositories:
          - $steps.confirmRepo.outputs.key
          actions:
            groups:
              $inputs.groupName:
              - read
              - write
          includePatterns:
          - "**"
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      targetName: $inputs.permissionTargetName
  - stepId: verifyPermission
    description: >-
      Read the permission target back to confirm it was stored with the expected
      name.
    operationId: getPermissionTarget
    parameters:
    - name: permissionTargetName
      in: path
      value: $steps.createPermissionTarget.outputs.targetName
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      name: $response.body#/name
  outputs:
    permissionTargetName: $steps.verifyPermission.outputs.name