Skip to content

What permissions do the GitHub Actions need? #61

Description

@h0x0er

This GitHub Actions uses the GITHUB_TOKEN. Can you please tell me what permissions are used for this token? If the permissions are only used in certain conditions, e.g. when a certain input is specified, please share that info as well.

At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of permissions needed by different GitHub Actions. When developers try to remediate ossf/Scorecards checks, they use the knowledge-base to secure their GitHub Workflows.

Here is an example of how we store KB for an Action:

name: "GH Release"
github-token:
  action-input:
    input: github_token
    is-default: true
  permissions:
    contents: write
    contents-reason: to create GitHub release #Reference: https://github.com/softprops/action-gh-release/blob/fe9a9bd3295828558c7a3c004f23f3bf77d155b2/README.md?plain=1#L70 

Releated Issue:
step-security/secure-repo#270

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions