[go: nahoru, domu]
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update GitHub Actions permissions #2

Closed
jcbhmr opened this issue Feb 8, 2023 · 12 comments
Closed

Update GitHub Actions permissions #2

jcbhmr opened this issue Feb 8, 2023 · 12 comments
Assignees
@jcbhmr
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@jcbhmr
Copy link
Member
jcbhmr commented Feb 8, 2023
edited
Loading

Previously, GitHub Actions gets a GITHUB_TOKEN with both read/write permissions by default whenever Actions is enabled on a repository.
As a default, this is too permissive, so to improve security we would like to change the default going forward to a read-only token. You can still flip it to read/write if needed.

This change will not impact any existing enterprises, organizations or repositories. Here is how the defaults are set going forward.

  • Enterprises: New enterprises will have read-only token.
  • Organizations owned by Enterprise: New organizations will inherit the permissions from parent enterprise.
  • Organizations not owned by Enterprise: New organizations will have read-only token.
  • Repositories owned by organization: New repositories will inherit permissions from parent organization.
  • Repositories owned by personal account: New repositories will have read-only token.

https://github.blog/changelog/2023-02-02-github-actions-updating-the-default-github_token-permissions-to-read-only/

Here's the docs on how to specify perms: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
@jcbhmr jcbhmr added bug Something isn't working good first issue Good for newcomers labels Feb 8, 2023
@jcbhmr jcbhmr self-assigned this Feb 8, 2023
@jcbhmr
Copy link
Member Author
jcbhmr commented Feb 25, 2023

This has come back to bite me already 🤷‍♂️

image
https://github.com/jcbhmr/devcontainer-features/actions/runs/4267459350/jobs/7429085875

@jcbhmr
Copy link
Member Author
jcbhmr commented Feb 25, 2023

So I need to:

  • Make it so that the devcontainer publish gets the packages write scope
  • Make it so that the wiki action gets the write repo scope AND the wiki scope (whatever it's called)

@jcbhmr
Copy link
Member Author
jcbhmr commented Feb 25, 2023

Turns out there is no wiki specific one that I could find?

permissions:
  actions: read|write|none
  checks: read|write|none
  contents: read|write|none
  deployments: read|write|none
  id-token: read|write|none
  issues: read|write|none
  discussions: read|write|none
  packages: read|write|none
  pages: read|write|none
  pull-requests: read|write|none
  repository-projects: read|write|none
  security-events: read|write|none
  statuses: read|write|none

I think it must be the contents: write which does it?

@jcbhmr
Copy link
Member Author
jcbhmr commented Feb 25, 2023

Yep for the wiki!

image

@jcbhmr
Copy link
Member Author
jcbhmr commented Feb 25, 2023
edited
Loading

The publish action still doesn't work 🤔

https://github.com/devcontainers/feature-starter/blob/0937a6939a8c9c75a54171981fb8fc169586109b/.github/workflows/release.yaml#L5-L14

jobs:
  deploy:
    if: ${{ github.ref == 'refs/heads/main' }}
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
      packages: write
    steps:
      - uses: actions/checkout@v3

Maybe it has to be contents: write too?

@jcbhmr
Copy link
Member Author
jcbhmr commented Feb 25, 2023

Even with the stock-standard feature-starter workflow I can't get it to work...

image

@jcbhmr jcbhmr mentioned this issue Feb 25, 2023
Closed
@jcbhmr
Copy link
Member Author
jcbhmr commented Mar 7, 2023
edited
Loading

Turns out the easiest way to fix it is to just give up an use permissions: write-all and be done with it. Maybe someone can enlighten me which permissions I need to enable?

devcontainers/community#30 (comment)

@jcbhmr jcbhmr closed this as completed Mar 7, 2023
@jcbhmr
Copy link
Member Author
jcbhmr commented Mar 7, 2023

Accidentally closed in an attempt to fix.

@jcbhmr jcbhmr reopened this Mar 7, 2023
@jcbhmr
Copy link
Member Author
jcbhmr commented Mar 7, 2023

The permissions: write-all worked for a demo repo, but didn't work here for some reason. I don't know why. I think the best course of action is just to give up and use a secret GITHUBX_TOKEN from a manually created access token.

@jcbhmr
Copy link
Member Author
jcbhmr commented Mar 7, 2023
edited
Loading

Even using the official workflow with permissions: write-all fails 😢

image

@jcbhmr jcbhmr transferred this issue from another repository Mar 7, 2023
@jcbhmr
Copy link
Member Author
jcbhmr commented Mar 7, 2023
edited
Loading

Since I figured I don't want to have to every 30 days change the token, I thought that now is the time before there's more than 3 issues to transfer everything to a new repo. So I did. This is a new repo that DOES have the generated from tag, but also magically works now. So yeah, worth it! That is, if it ends up working...

@jcbhmr
Copy link
Member Author
jcbhmr commented Mar 7, 2023

Solved as "good enough": just use the generated one and it works OK. Don't completely know why, but 🤷‍♂️

@jcbhmr jcbhmr closed this as completed Mar 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jcbhmr jcbhmr

Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jcbhmr