google-github-actions
Doc improvement idea: explicit required GITHUB_TOKEN permissions documented
TL;DR
When dealing with with GITHUB_TOKEN permissions in workflow yml for OIDC, release-please breaks down with multiple Resource not accessible by integration-errors. without explicit permissions in yml-file. the action works fine.
Would be great if the exact permission-requirements would be documented in the main README.md in this repo. :)
Detailed design
Using OIDC within an workflow, one has to put explicit permissions:
permissions:
id-token: write
contents: read
When this is done in the same workflow where release-please would be defined as following:
jobs:
release-please:
runs-on: ubuntu-latest
steps:
- uses: google-github-actions/release-please-action@v3
with:
release-type: node
package-name: release-please-action
The result is below
✔ Looking for latest release on branch: main with prefix: release-please-action Error: release-please failed: Request failed due to following response errors:
- Resource not accessible by integration
- Resource not accessible by integration
- Resource not accessible by integration
- Resource not accessible by integration
- Resource not accessible by integration
- Resource not accessible by integration
Additional information
No response
Continuing at this, on my own case it was possible (and probably best) to change the permissions at job level, where release-please was not at the same job. This fixed my problem, but having explicit knowledge on GITHUB_TOKEN permission requrements would still be good to have in my opinion.
@stutommi would happily add this to the README, seems like a good suggestion. Did you want to make the update, what permissions did you end up enabling for your workflow?
The needed ones are: https://github.com/voxpelli/eslint-config/blob/db59a84762b9982c1d47c170e79ddbe967faf6e0/.github/workflows/release-please.yml#L9-L11
permissions:
contents: write
pull-requests: write
Makes sense, as the action needs to create a commit and then a PR for that commit
