There is no way to check for a Github action's github.token permissions

[gautamkrishnar]

Select Topic Area

Bug

Body

If we try using:

curl -sS -f -H "Authorization: token ${{ github.token  }}" https://api.github.com/repos/example-user/example-repo  | jq .permissions

We always gets the following response:

{
  "admin": false,
  "maintain": false,
  "push": false,
  "triage": false,
  "pull": false
}

Which is technically wrong, since I have the read/write permission enabled for the default token for the example repo.

GitHub needs to fix this behavior and make the actual permission visible in this case. GitHub action developers are unable to check for the token permissions due to this issue.

[ghostinhershell]

Hey @gautamkrishnar,

Thank you so much for sharing your feedback here. I'll go ahead and get this filed for you so that your feedback reaches the correct teams here at GitHub. Thanks again! 🚀

[ben-elttam]

@ghostinhershell is there a way to track this?

[gautamkrishnar]

@ghostinhershell any updates on this?

[vladislavkovaliov]

hello @ghostinhershell do u have any updates regarding this?

[hugos99]

@ghostinhershell is there an update on this? Would be great for composite actions to dynamically change the action flow based on permissions!

[ghostinhershell]

Hi @gautamkrishnar,

I wonder if the issue that you're seeing here is due to the security measures in place for pull requests from forked repositories. As per GitHub's policy, workflow runs that are triggered by such pull requests are treated as if they're coming from a public repository. This means they receive a read-only GITHUB_TOKEN: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token.

This is done to prevent malicious users from creating a pull request that alters your repository's workflows or accesses sensitive data. Unfortunately, there's no direct way to grant write permissions to the GITHUB_TOKEN for pull requests from forks.

[gautamkrishnar]

@ghostinhershell I am aware of this policy. My issue was not about limited permissions in the Github tokens.

I am a github action developer who maintains multiple Github actions that is used by thousands of people around the world, I need a way for my own Github actions to programmatically know the permissions of the token generated so that my action can perform different steps depending on the permissions available. The Github actions developed by me are being used by other people, not me.

For example, for my: https://github.com/gautamkrishnar/keepalive-workflow
if the token provided has actions: write permission, I can use the GitHub token to call the Github API, else I can check if the action has contents: write and use a commit-based approach.