actions-permissions
actions-permissions copied to clipboard
Improve handling of `unknown` permissions
The current code is unhelpful for various reasons: https://github.com/GitHubSecurityLab/actions-permissions/blob/3dcbd6bb270cd62b67703a6c1aef904ace6a3bf3/monitor/index.js#L76-L77
-
It generates markdown with a workflow snippet like:
Minimal required permissions:
permissions: security-events: write pull-requests: read unknown: unknown
But if someone were to add this permission, it'd result in the workflow failing:
-
It doesn't use at least
::warning
or similar to call out the item https://github.com/jsoref/check-spelling/actions/runs/7331431111/job/19964051747#step:12:2 -
The grammar in the readme is off: https://github.com/GitHubSecurityLab/actions-permissions/blob/8ecfc0d800e75e5774f8eebc81b3f48f214b8ca4/monitor/README.md?plain=1#L62
-It would requires parsing +It would require parsing
Expected results
- Don't generate invalid workflow content
- Do use
# ...
in the generated workflow content - Do surface the api call(s) -- if you're afraid of surfacing things, provide the client
User-Agent
, it should be possible to at least identify the objects being queried