-
Notifications
You must be signed in to change notification settings - Fork 334
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Updates the permissions block to be minimal #689
Conversation
9473576
to
f374474
Compare
From our last internal discussion about this, I believe that So perhaps let's go with the recommendation of |
Sure, and I can add some comments on when different scopes may not be needed. |
Here are the API calls we are making (just doing a code search for
Unless I've missed something, we only need |
f374474
to
1f9cee9
Compare
Plus you need enough permission to check out the repo itself in the workflow (but not in the Action), which I believe is either |
Ah..yes. Again, only for private repos, it seems. So, |
And adds a permissions block to the README.
1f9cee9
to
2175328
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM once you resolve the changelog conflict. Thanks!
@aeisenberg I am trying to figure out the required permissions for any GitHub Action. What is the process to get all the necessary permission? Thanks |
There's no principled way of doing this that I can think of. An action can make any arbitrary request to the github api. And it can make requests in many ways (since they are just fundamentally REST requests): You could try setting very restrictive permissions, and slowly loosen them until you get your workflow passing. Alternatively, you can try to eyeball the code, which could be tricky if the action is doing non-standard things. |
Thank you! |
And adds a permissions block to the README.
Fixes #464.
Merge / deployment checklist