actions-permissions icon indicating copy to clipboard operation
actions-permissions copied to clipboard

Published 20 hours ago verified publisher icon GitHubSecurityLab

Improve handling of `unknown` permissions

Open jsoref opened this issue 7 months ago • 1 comments

The current code is unhelpful for various reasons: https://github.com/GitHubSecurityLab/actions-permissions/blob/3dcbd6bb270cd62b67703a6c1aef904ace6a3bf3/monitor/index.js#L76-L77

  1. It generates markdown with a workflow snippet like:

    Minimal required permissions:

    permissions:
  security-events: write
  pull-requests: read
  unknown: unknown

    But if someone were to add this permission, it'd result in the workflow failing: image

  2. It doesn't use at least ::warning or similar to call out the item https://github.com/jsoref/check-spelling/actions/runs/7331431111/job/19964051747#step:12:2

  3. The grammar in the readme is off: https://github.com/GitHubSecurityLab/actions-permissions/blob/8ecfc0d800e75e5774f8eebc81b3f48f214b8ca4/monitor/README.md?plain=1#L62

    -It would requires parsing
+It would require parsing

Expected results

  1. Don't generate invalid workflow content
  2. Do use # ... in the generated workflow content
  3. Do surface the api call(s) -- if you're afraid of surfacing things, provide the client User-Agent, it should be possible to at least identify the objects being queried

jsoref avatar Dec 28 '23 00:12 jsoref