Skip to content

Fine grained access token instructions in the github actions repository_dispatch documentation #23176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
1 task done
Denubis opened this issue Jan 12, 2023 · 7 comments
Closed
1 task done
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team rest Content related to rest - overview. waiting for review Issue/PR is waiting for a writer's review

Comments

@Denubis
Copy link

Denubis commented Jan 12, 2023

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#create-a-repository-dispatch-event via https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#repository_dispatch

What part(s) of the article would you like to see updated?

At present, the documentation for repo_dispatch indicates that the token needs "repo" scope. Using the fine-grained-actions (beta), it took me a fair amount of time to confirm that Actions: read and write is sufficient to make a webhook invocation token. While fine-grained-actions is still in beta, it may be worth updating this documentation.

Specifically, the most important action permission, [POST /repos/{owner}/{repo}/actions/workflows/{workflow_id}/dispatches](https://docs.github.com/en/rest/reference/actions#create-a-workflow-dispatch-event) (write) is third from the bottom, and I had to resort to ctrl-f to find it, which is why I wasn't certain that this was the correct permission. I'm now testing to see if this finely scoped permission is also sufficient for the task.

Additional information

Update: It turns out that that permission is necessary, but not sufficient. It would be nice to have the full minimum set of permissions necessary in repository_dispatch to trigger one.

@Denubis Denubis added the content This issue or pull request belongs to the Docs Content team label Jan 12, 2023
@welcome
Copy link

welcome bot commented Jan 12, 2023

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Jan 12, 2023
@cmwilson21
Copy link
Contributor

@Denubis Thanks so much for opening an issue! I'll triage this for the team to take a look 👀

@cmwilson21 cmwilson21 added actions This issue or pull request should be reviewed by the docs actions team rest Content related to rest - overview. waiting for review Issue/PR is waiting for a writer's review and removed triage Do not begin working on this issue until triaged by the team labels Jan 12, 2023
@Denubis
Copy link
Author

Denubis commented Jan 13, 2023

@cmwilson21 Also, in conversation with a colleague, the "repo" permission on the classic version seems large-scoped for "needing to call a webhook" -- nuance as to what the minimal set of permissions required for "simple webhook invocation" both classic and new would be very much appreciated.

@Denubis
Copy link
Author

Denubis commented Jan 13, 2023

Ok, extra update. While testing the beta perms for something that involved variables and secrets, I used

6 permissions for 1 of your repositories
Actions
Access: Read and write
Contents
Access: Read and write
Metadata
Access: Read-only
Secrets
Access: Read and write
Variables
Access: Read and write
Workflows
Access: Read and write

And it worked. Not sure it's the minimum possible scope, but since my github action involves variables and secrets, I guessed at this? (I'm not sure why the invoking webhook needs all this access, or if it does). But it might help your docs folk start somewhere.

@Princexz

This comment was marked as spam.

@skedwards88
Copy link
Contributor

Thanks for this issue! This article describes the permissions required for fine-grained personal access tokens. We have an internal issue to make this information more discoverable and to keep this information automatically up-to-date, so I'm going to close out this issue.

@Denubis
Copy link
Author

Denubis commented Jan 20, 2023

Thanks @skedwards88 -- one note I'd like to make is that the article you linked was not useful to me when trying to figure out permission sets. There was a fair amount of cutting-and-trying. The naive approach (select actions) was insufficient, and the original article was not useful. For the internal issue, if you could flag: "The minimum necessary set to launch an external webhook which references repository secrets" -- that would be wonderful. As a larger bit of feedback, having a "trigger a webhook on selected repositories only" permission-option would be quite useful from a security perspective, as these secrets have much higher potential exposure.

In any event, thanks for the response and I hope you both have a great weekend.

tvquizphd added a commit to tvquizphd/public-quiz that referenced this issue Jan 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team rest Content related to rest - overview. waiting for review Issue/PR is waiting for a writer's review
Projects
None yet
Development

No branches or pull requests

4 participants