Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What pemission scopes does the action need for the generated GITHUB_TOKEN? #220

Open
ghost opened this issue Oct 9, 2022 · 9 comments
Open

What pemission scopes does the action need for the generated GITHUB_TOKEN? #220

ghost opened this issue Oct 9, 2022 · 9 comments

Comments

@ghost
Copy link

ghost commented Oct 9, 2022
edited by ghost
Loading

Hello there, hope everything is fine

I was wondering which permission scopes should I grant for the PAT (personal access token) of changesets action.
Below is the list of permission scopes available for PATs, I have some ambiguity to choose some of them.

image
image

And there's also some problem with this approach of giving PAT as github_token to the action, since the PAT gives access to all repos and you can't limit the scope.
Isn't there any better approach for that?
@Andarist
Copy link
Member

Andarist commented Oct 9, 2022

Quite frankly - I'm not entirely sure. Those permissions are always confusing to me. Especially since they don't correspond 1 to 1 to the permissions for the workflow jobs.

What we need is:

  • fetch the content of the repository
  • push to the repository
  • search through PRs
  • create PRs
  • create GitHub releases

This would be definitely useful information to have in the docs but it requires some experimentation to figure out which minimal combination of those scopes would allow the action to function properly.

And there's also some problem with this approach of giving PAT as github_token to the action, since the PAT gives access to all repos and you can't limit the scope.

You can create a new "bot"-like account, limit its access to a particular repo and generate PAT for that account.

@frangio
Copy link

frangio commented Jan 2, 2023
edited
Loading

You can find the required permissions by looking up the REST endpoints in Permissions required for fine-grained personal access tokens.

Edit: Hm, these don't look like the ones in the screenshot. But see section below.

And there's also some problem with this approach of giving PAT as github_token to the action, since the PAT gives access to all repos and you can't limit the scope.
Isn't there any better approach for that?

You should look into Fine-grained PATs. You can scope them by repository.

@ernestognw
Copy link
Contributor

What we need is:

  • fetch the content of the repository
  • push to the repository
  • search through PRs
  • create PRs
  • create GitHub releases

To summarize, the permissions required are:

  • Contents (read/write): Covers fetch content of the repository, push commits and create releases
  • Pull Request (read/write): Covers create and write PRs

If you don't publish using Changesets, Releases is not required although it falls inside of the Contents category

@dstaley
Copy link

dstaley commented Jan 19, 2023
edited
Loading

For anyone thinking of using fine-grained tokens, be aware that they don't currently support the GraphQL API, which is required for @changesets/changelog-github:

Personal access tokens with fine grained access do not support the GraphQL API

@Andarist
Copy link
Member

I'm using those in XState and it works fine (but I don't use the GraphQL API there):
https://github.com/statelyai/xstate/blob/aad4991b4eb04faf979a0c8a027a5bcf861f34b3/.github/workflows/release.yml#L13-L16

I'd appreciate it if somebody could prepare a PR documenting this.

@dstaley
Copy link

dstaley commented Jan 19, 2023

@Andarist ah sorry! I'm so used to the GitHub changelogs that I forgot it's not the default configuration. I've edited my comment to be more accurate. Thanks for the clarification!

@kenneth-gray
Copy link

What we need is:

  • fetch the content of the repository
  • push to the repository
  • search through PRs
  • create PRs
  • create GitHub releases

To summarize, the permissions required are:

  • Contents (read/write): Covers fetch content of the repository, push commits and create releases
  • Pull Request (read/write): Covers create and write PRs

If you don't publish using Changesets, Releases is not required although it falls inside of the Contents category

@ernestognw Is this using the fine-grained tokens? I haven't been able to get this to work with just those 2 read/write permissions.

@kenneth-gray
Copy link

I can confirm that these permissions work as expected. I struggled to get the token recognised. As seen in some other issues, adding the PAT token as part of the GitHub checkout action solved my problem.

@nyonson
Copy link

nyonson commented Feb 23, 2023

@kenneth-gray did you get this working by not using the changeset version? I still get Personal access tokens with fine grained access do not support the GraphQL API even with the PAT using those permissions and set on both the checkout action and changeset action.

@ben-laird ben-laird mentioned this issue Feb 28, 2023
Closed
@JiangWeixian JiangWeixian mentioned this issue Apr 9, 2023
Merged
8 tasks
JiangWeixian added a commit to neo-hack/neo that referenced this issue May 2, 2023
@JiangWeixian
🐛 github release workflows require permissions
91be654 
changesets/action#220 (comment)
JiangWeixian added a commit to neo-hack/neo that referenced this issue May 2, 2023
@JiangWeixian
🐛 pin pnpm version in workflows (#379)
64f8c30 
* 🐛  pin pnpm version in workflows

* 🐛  github release workflows require permissions

changesets/action#220 (comment)

* 📝  update release note
@github-actions github-actions bot mentioned this issue May 2, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@dstaley @frangio @nyonson @Andarist @kenneth-gray @ernestognw