You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.
Below you can see the KB of your GITHUB Action.
name: 'Check PR CI'github-token:
action-input:
input: tokenis-default: truepermissions:
pull-requests: writepull-requests-reason: to create review & merge pull requests #Checkout: https://github.com/actions-cool/check-pr-ci/blob/62a2dbe3878c79ccc24083c49abbc266c03205bf/src/octokit.js#L154issues: writeissues-reason: to update issues #Checkout: https://github.com/actions-cool/check-pr-ci/blob/62a2dbe3878c79ccc24083c49abbc266c03205bf/src/octokit.js#L159contents: readcontents-reason: to get collaborator permission level #Checkout: https://github.com/actions-cool/check-pr-ci/blob/62a2dbe3878c79ccc24083c49abbc266c03205bf/src/octokit.js#L45checks: readchecks-reason: to get check reference #Checkout: https://github.com/actions-cool/check-pr-ci/blob/62a2dbe3878c79ccc24083c49abbc266c03205bf/src/octokit.js#L108#Fixes #547
At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of GITHUB_TOKEN permissions needed by different GitHub Actions. When developers try to set minimum token permissions for their workflows, they can use this knowledge-base instead of trying to research permissions needed by each GitHub Action they use.
Below you can see the KB of your GITHUB Action.
If you think this information is not accurate, or if in the future your GitHub Action starts using a different set of permissions, please create an issue at https://github.com/step-security/secure-workflows/issues to let us know.
This issue is automatically created by our analysis bot, feel free to close after reading :)
References:
GitHub asks users to define workflow permissions, see https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/ and https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token for securing GitHub workflows against supply-chain attacks.
Setting minimum token permissions is also checked for by Open Source Security Foundation (OpenSSF) Scorecards. Scorecards recommend using https://github.com/step-security/secure-workflows so developers can fix this issue in an easier manner.
The text was updated successfully, but these errors were encountered: