Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation Update - add permissions section to readme #511

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Documentation Update - add permissions section to readme #511

wants to merge 1 commit into from

Conversation

benwells
Copy link

Add new Recommended permissions section to the README file.

@benwells benwells requested a review from a team as a code owner January 16, 2025 20:07
@benwells benwells temporarily deployed to debug-integration-test January 16, 2025 20:07 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link

Hello from actions/github-script! (3e760d5)

joshmgross
joshmgross reviewed Jan 16, 2025
View reviewed changes
README.md
Comment on lines +149 to +153
### General Best Practices

- Use the principle of least privilege: Only grant the specific permissions needed for your workflow.
- Regularly audit and review your workflows to ensure permissions remain appropriate for your use cases.
- Test your workflows with the intended permissions to verify they work as expected without over-permissioning.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd remove this section personally - this would be betters suited in our GitHub documentation for Actions best practices rather than in this action's README.

README.md
Comment on lines +135 to +147
## Recommended Permissions

The permissions required for the `GITHUB_TOKEN` in your workflow vary depending on how you use `github-script`. To ensure secure and efficient use of this action, we recommend reviewing and setting the least privileges necessary for your use case.

### Determine the Required Permissions

1. **`GITHUB_TOKEN` Authentication**
GitHub automatically provides a `GITHUB_TOKEN` for workflows. You can customize the permissions granted to this token. Refer to the documentation for details:
[Permissions for the `GITHUB_TOKEN`](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)

2. **API Calls with Installation Access Tokens**
If you're using `github-script` to make API calls requiring installation access tokens, ensure the permissions are configured appropriately for those endpoints. Learn more here:
[Permissions for installation access tokens](https://docs.github.com/en/rest/authentication/endpoints-available-for-github-app-installation-access-tokens)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can simplify this a bit

Suggested change
## Recommended Permissions
The permissions required for the `GITHUB_TOKEN` in your workflow vary depending on how you use `github-script`. To ensure secure and efficient use of this action, we recommend reviewing and setting the least privileges necessary for your use case.
### Determine the Required Permissions
1. **`GITHUB_TOKEN` Authentication**
GitHub automatically provides a `GITHUB_TOKEN` for workflows. You can customize the permissions granted to this token. Refer to the documentation for details:
[Permissions for the `GITHUB_TOKEN`](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)
2. **API Calls with Installation Access Tokens**
If you're using `github-script` to make API calls requiring installation access tokens, ensure the permissions are configured appropriately for those endpoints. Learn more here:
[Permissions for installation access tokens](https://docs.github.com/en/rest/authentication/endpoints-available-for-github-app-installation-access-tokens)
## Recommended permissions
The permissions required for the `GITHUB_TOKEN` in your workflow vary depending on how you use `actions/github-script`. We recommend reviewing and setting the least privileges necessary for your use case.
See [Permissions for the `GITHUB_TOKEN`](https://docs.github.com/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) for details on the available permissions and [Permissions for installation access tokens](https://docs.github.com/en/rest/authentication/endpoints-available-for-github-app-installation-access-tokens) for information on what permissions each API requires.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshmgross joshmgross joshmgross left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@benwells @joshmgross