What permissions do the GitHub Actions need?

[h0x0er]

This GitHub Actions uses the GITHUB_TOKEN. Can you please tell me what permissions are used for this token? If the permissions are only used in certain conditions, e.g. when a certain input is specified, please share that info as well.

At https://github.com/step-security/secure-workflows we are building a knowledge-base (KB) of permissions needed by different GitHub Actions. When developers try to remediate ossf/Scorecards checks, they use the knowledge-base to secure their GitHub Workflows.

Here is an example of how we store KB for an Action:

name: "GH Release"
github-token:
  action-input:
    input: github_token
    is-default: true
  permissions:
    contents: write
    contents-reason: to create GitHub release #Reference: https://github.com/softprops/action-gh-release/blob/fe9a9bd3295828558c7a3c004f23f3bf77d155b2/README.md?plain=1#L70 

Releated Issue:
step-security/secure-repo#270

[matiasalbarello]

Hi @h0x0er. Thanks for your message. You're right, the documentation is not up to date with that change. I'll try to update it ASAP. For the time being, I'd say that the only required permission is the read checks:

  permissions:
    checks: read

The only GH API call that it does is through Oktokit client's method check_runs_for_ref.

Feel free to create a PR with the missing documentation if you can :)