Fix: Information related to tokens in README #118
Conversation
Fix documentation related to tokens. The secrets.GITHUB_TOKEN provided by the GitHub Actions App can do everything related to the repo if we elevate its permissions, including calling workflow_dispatch and repository_dispatch. Some people in my organization are using PAT's instead of the secrets.GITHUB_TOKEN when using this action because of this README suggestion, even when they are calling the same repository. Using PATs in that contexts provides unnecessary security risks.
Testing
name: Trigger
on:
workflow_dispatch:
permissions:
actions: write
jobs:
repositorydispatch:
runs-on: ubuntu-latest
steps:
- name: Dispatch workflow
uses: peter-evans/repository-dispatch@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
event-type: test-repo-dispatch
client-payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}"}'
name: Triggered
on:
repository_dispatch:
types: [test-repo-dispatch]
jobs:
read:
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@v6
with:
result-encoding: string
script: |
const fs = require("fs")
const eventPath = '${{ github.event_path }}'
fs.readFile(eventPath, "utf-8", (err, data) => {
console.log(data)
console.error(err)
})
return eventPath
|
|
@santunioni Thank you for this contribution! I wasn't aware of this token change. I'm going to merge to a feature branch so I can make some further documentation and workflow changes. Then I'll merge to |
|
I've updated the repo with your contribution. Thank you! I also made permissions:
actions: write
jobs:
repositorydispatch:
runs-on: ubuntu-latest
steps:
- name: Repository Dispatch
uses: peter-evans/repository-dispatch@v2
with:
event-type: my-event |
|
@santunioni I don't think elevating the token permissions is necessary. It seems to work without this: permissions:
actions: write |
|
@peter-evans great! I confirmed you are right for personal accounts. However you do need the workflow to have |
|
As an example, try this: permissions:
actions: nonewhich is the default for GitHub Teams plan. You will see the |
|
What approach do you think suits better the action? Telling the user the permission the workflow needs explicitly, without relying on GitHub defaults, or rely on the defaults? |
|
Ah, interesting. In that case I will make a note of it in the readme in the same way I've done for other actions I maintain. Thank you! |
Fix documentation related to tokens. The secrets.GITHUB_TOKEN provided by the GitHub Actions App can do everything related to the repo if we elevate its permissions, including calling workflow_dispatch and repository_dispatch.
Some people in my organization are using PAT's instead of the secrets.GITHUB_TOKEN when using this action because of the README suggestion, even when they are calling the same repository. Using PATs in that context provides unnecessary security risks.