github-push-action
github-push-action copied to clipboard
ad-m
GITHUB_TOKEN permissions used by this action
At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.
Below you can see the KB of your GITHUB Action.
name: 'GitHub Push'
github-token:
action-input:
input: github_token
is-default: true
permissions:
contents: write
contents-reason: to push local changes #Checkout: https://github.com/ad-m/github-push-action#github-action-for-github-push
#Fixes #496
If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.
This issue is automatically created by our analysis bot, feel free to close after reading :)
References:
GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.
Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.
@ad-m I think it's not a bad idea to add the token permission to the documentation. What do you think ?
What permission do we need for that API call? https://github.com/ad-m/github-push-action/blob/694e694af3c1751f83c030838b41be57e1fd851e/start.js#L52
@ad-m I think we should add full repository and optional workflow access to the documentation. Should I prepare a PR?