delete-deployment-environment icon indicating copy to clipboard operation
delete-deployment-environment copied to clipboard

Published 20 hours ago verified publisher icon strumwolf

fine-grain App permissions & use GitHub native action for generating tokens

Open Ebonsignori opened this issue 1 year ago • 3 comments
trafficstars

👋 Hi there,

I did not test this yet, but I think this action only requires the Deployments & Environments write permissions which is not specified in your README

Additionally,

For certain operations (like deleting an environment), your GitHub Action will need additional permissions that your github.token simply doesn't have.

May be outdated with the introduction of fine-grained PATs which have access to Deployments & Environments: Read & Write

Finally, I updated the token generation step to use the native GitHub https://github.com/actions/create-github-app-token which might be more reliable & up to date than navikt. In my projects I feel it's safer to use :latest when working with native GitHub actions, but that level of trust is up to you

Ebonsignori avatar May 09 '24 17:05 Ebonsignori

@Ebonsignori, can you please list all of the permission that the github-app needs to execute the action? I activated read and write for both environment and deployments. The action deletes deployments correctly, but returns a permission error when trying to delete the environment. Thanks!

markoleavy avatar Jul 08 '24 07:07 markoleavy

I ran into the same error and discovered from the GitHub REST API documentation that the app also requires Repository Administration write permissions to do the last step of deleting the environment.

senstar-pdye avatar Oct 24 '24 15:10 senstar-pdye

To summarize for anyone else, with a fine-grained token you should enable:

  • "Actions" repository permissions (read)
  • "Deployments" repository permissions (read & write)

To allow deleting an environment:

  • "Administration" repository permissions (read & write)

Some other tips:

  • If you're still having trouble, re-run the failed job with "Debugging enabled" to figure out which request is failing.
  • Remember that when you change permissions on your Github App you need to re-approve the new permissions from whatever org you first installed it. You can do this by going to "Install App" from the github app settings.
  • Just noting that I saw there's a read/write permission for "Environments" but that doesn't seem to work.

mattcasey avatar Nov 14 '24 19:11 mattcasey