grant GITHUB_TOKEN write permissions #11
Conversation
This comment has been minimized.
This comment has been minimized.
|
Setting the default permissions to write would solve the issue however, using "read" as default is something that we would like to have as a default for security reasons. You can easily fix that by adding the following snippet to your workflow to explicitly request write tokens for accessing pull requests: See also https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs On a side note: if you run this workflow for pull requests that originate from forks, the workflow will fail as no write token will be granted to such pull requests for security reasons. There is a blog post explaining the reasoning and workarounds: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ |
Signed-off-by: Michael Engel <[email protected]>
engelmi
force-pushed
the
grant-github-token-write
branch
from
f4bb0a1
to
87ae734
Compare
Diff for 51c3a04:Printing local diff:
Actions are indicated with the following symbols:
+ create
! modify
! forced update
- delete
Organization eclipse-bluechi[id=eclipse-bluechi]
there have been 4 validation infos, enable verbose output with '-v' to to display them.
! org_workflow_settings {
! default_workflow_permissions = "read" -> "write"
! }
Plan: 0 to add, 1 to change, 0 to delete.Canonical Diff for 51c3a04:Showing canonical diff:
Organization eclipse-bluechi[id=eclipse-bluechi]
--- canonical
+++ original
@@ -84,16 +84,12 @@
secret: "********"
}
]
- workflows+: {
- actions_can_approve_pull_request_reviews: false
- }
}
orgs.newRepo('bluechi-ansible-collection') {
allow_update_branch: false
branch_protection_rules: [
orgs.newBranchProtectionRule('main') {
required_approving_review_count: 1
- required_status_checks+: []
requires_conversation_resolution: true
requires_linear_history: true
requires_strict_status_checks: true
@@ -109,16 +105,12 @@
"ansible"
"bluechi"
]
- workflows+: {
- actions_can_approve_pull_request_reviews: false
- }
}
orgs.newRepo('bluechi-on-yocto') {
allow_update_branch: false
branch_protection_rules: [
orgs.newBranchProtectionRule('main') {
required_approving_review_count: 1
- required_status_checks+: []
requires_conversation_resolution: true
requires_linear_history: true
requires_strict_status_checks: true
@@ -134,9 +126,6 @@
"bluechi"
"yocto"
]
- workflows+: {
- actions_can_approve_pull_request_reviews: false
- }
}
orgs.newRepo('hashmap.c') {
allow_merge_commit: true
@@ -147,16 +136,12 @@
has_projects: false
has_wiki: false
web_commit_signoff_required: false
- workflows+: {
- actions_can_approve_pull_request_reviews: false
- }
}
orgs.newRepo('terraform-provider-bluechi') {
allow_update_branch: false
branch_protection_rules: [
orgs.newBranchProtectionRule('main') {
required_approving_review_count: 1
- required_status_checks+: []
requires_conversation_resolution: true
requires_linear_history: true
requires_strict_status_checks: true
@@ -173,9 +158,6 @@
"terraform"
"terraform-provider"
]
- workflows+: {
- actions_can_approve_pull_request_reviews: false
- }
}
]
settings+: { |
|
Thanks for the quick reply! @netomi
Ah ok, I didn't know about that option. But after reading the blog post you linked, I think that is the approach I have to use - so I have to tweak the BlueChi PR a bit. It was an interesting read. Thanks again! |
In order to enable GH workflows to add comments in PRs, set the
default_workflow_permissions: "write". One example can be seen in this PR: eclipse-bluechi/bluechi#690 - to add the coverage results as a comment to the PR. Currently, it gets a 403 response.@netomi Is this the
default_workflow_permissionthe right option in order to achieve this?