This GitHub Actions uses the GITHUB_TOKEN. Can you please tell me what permissions are used for this token? If the permissions are only used in certain conditions, e.g. when a certain input is specified, please share that info as well.
At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of permissions needed by different GitHub Actions. When developers try to remediate ossf/Scorecards checks, they use the knowledge-base to secure their GitHub Workflows.
Here is an example of how we store KB for an Action:
name: "GH Release"
github-token:
action-input:
input: github_token
is-default: true
permissions:
contents: write
contents-reason: to create GitHub release #Reference: https://github.com/softprops/action-gh-release/blob/fe9a9bd3295828558c7a3c004f23f3bf77d155b2/README.md?plain=1#L70
Releated Issue:
step-security/secure-repo#270
This GitHub Actions uses the GITHUB_TOKEN. Can you please tell me what permissions are used for this token? If the permissions are only used in certain conditions, e.g. when a certain input is specified, please share that info as well.
At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of permissions needed by different GitHub Actions. When developers try to remediate ossf/Scorecards checks, they use the knowledge-base to secure their GitHub Workflows.
Here is an example of how we store KB for an Action:
Releated Issue:
step-security/secure-repo#270