cffconvert-github-action icon indicating copy to clipboard operation
cffconvert-github-action copied to clipboard
verified publisher icon citation-file-format

Look into adding permissions to the example workflow

Open jspaaks opened this issue 3 years ago • 2 comments

Spawned by discussion in JuliaLang/julia. Thanks @DilumAluthge for the suggestion.

jspaaks avatar Feb 08 '22 23:02 jspaaks

I would like to add that furthermore also pinning the version of an Action to a release commit might have benefits. If you take a look at the GitHub Action of cffreference which is the subject of https://github.com/citation-file-format/citation-file-format/pull/384, you will find a working example which implements both pinning the Action versions to a release commit as well as the minimum permissions to ensure the correctness.

Since the default permission set GitHub grants the session token for an Action does not always fit the Action's intention, at least in my opinion adding the minimum permissions in both the example as well as the corresponding applications of the Action in this namespace would be a meaningful change.

To see the permissions granted by default, just go to the "Actions" tab of a project of your choice which applies them, choose an arbitrary Action which was completed not too long ago, expand "Set up job", and, in there, "GITHUB_TOKEN Permissions". Try to find an Action which does not explicitly limit the granted permissions.

kevinmatthes avatar Jun 17 '22 17:06 kevinmatthes

I submitted a Pull Request related to this topic to the main project. citation-file-format/citation-file-format#406

kevinmatthes avatar Sep 20 '22 19:09 kevinmatthes