setup-task icon indicating copy to clipboard operation
setup-task copied to clipboard

Published 20 hours ago verified publisher icon arduino

feat: Default `repo-token` to GitHub token

Open shrink opened this issue 2 years ago • 5 comments

The absence of a default value for repo-token means that this action may start to fail long after it has been implemented by a developer: the developer adds the action to their workflow (without a token because it's optional) and then, at some point in the future, their workflows may randomly start to fail because they've hit the unauthenticated rate-limit.

shrink avatar Feb 05 '23 18:02 shrink

@LeoDog896 Yep, sorry, I should have noted that this is the standard approach.

Just to catch one concern that might come up: although adding github.token as the default value does that mean by default this action will now be given the active token, it's actually already possible for any action to access the token. The use of github.token as the default value for repo-token is the idiomatic way to pass the token because it's leveraging the standard GitHub Action configuration flow, but other approaches are available, like bypassing Action configuration altogether and instead just pulling it from the environment -- i.e: process.env.GITHUB_TOKEN.

Important: An action can access the GITHUB_TOKEN through the github.token context even if the workflow does not explicitly pass the GITHUB_TOKEN to the action. As a good security practice, you should always make sure that actions only have the minimum access they require by limiting the permissions granted to the GITHUB_TOKEN. For more information, see "Permissions for the GITHUB_TOKEN." ...via GitHub Actions / Security guides / Automatic token authentication.

Separate from the above, while reviewing this Pull Request again, I've noticed I missed making a change to the README. At the moment the README says:

repo-token (Optional) GitHub access token used for GitHub API requests. Heavy usage of the action can result in workflow run failures caused by rate limiting. GitHub provides a more generous allowance for Authenticated API requests. It will be convenient to use ${{ secrets.GITHUB_TOKEN }}.

I think something like this might be clearer in light of this change:

repo-token (Optional) GitHub access token used for GitHub API requests. When no repo-token is provided, the Workflow token will be used by default.

Let me know if that sounds like a more helpful description, and I'll update this Pull Request to include the README change too :)

Thanks!

shrink avatar Feb 11 '23 16:02 shrink

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Feb 11 '23 17:02 CLAassistant

I think the best thing is to follow Arduino's established format for documenting default input values, as is already used for the version input.

Thank you very much, I agree, consistency is best! I've added the established format.

shrink avatar Feb 11 '23 17:02 shrink

Closed by mistake? This still seems to be an useful change to me. @shrink @per1234

andreynering avatar Jul 05 '23 13:07 andreynering

@andreynering you're right, thank you for catching the mistake. I deleted some unused forks (or so I thought): I missed that this Pull Request was still open. I've asked GitHub to restore the repository so the Pull Request is now re-opened.

shrink avatar Jul 05 '23 17:07 shrink