doc: improve permission documentation

Also add section related to usage in private repositories.
redhat-plumbers-in-action · Jan 24, 2023 · 876cace · 876cace
1 parent bc41a85
commit 876cace
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 3 deletions.
diff --git a/.github/workflows/differential-shellcheck.yml b/.github/workflows/differential-shellcheck.yml
@@ -16,7 +16,6 @@ jobs:
 
     permissions:
       security-events: write
-      pull-requests: write
 
     steps:
       # Let's have this log of GitHub context for further development and debugging

diff --git a/README.md b/README.md
@@ -75,8 +75,12 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
+      # required for all workflows
       security-events: write
-      pull-requests: write
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
 
     steps:
       - name: Repository checkout
@@ -98,7 +102,7 @@ jobs:
           path: ${{ steps.ShellCheck.outputs.sarif }}
 ```
 
-> **Warning**: _`fetch-depth: 0` is required in order to run `differential-shellcheck` successfully._
+> **Warning**: _`fetch-depth: 0` is required to run `differential-shellcheck` successfully. It fetches all git history._
 
 <details>
   <summary>Console output example</summary>
@@ -314,6 +318,12 @@ Relative path to SARIF file containing detected defects. Example of use:
     sarif_file: ${{ steps.ShellCheck.outputs.sarif }}
 ```
 
+## Using with Private repositories
+
+Differential ShellCheck GitHub Action could be used in private repositories by any user. But code scanning-related features are available only for GitHub Enterprise users, as mentioned in [GitHub Documentation](https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-code-scanning):
+
+_Code scanning is available for all public repositories on GitHub.com. Code scanning is also available for private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security. For more information, see "[About GitHub Advanced Security](https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security)"._
+
 ## Limitations
 
 * `differential-shellcheck` Action doesn't run correctly when overwriting commits using `--force` and when the triggering event is `push`.