Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What GitHub Actions permissions does Release Drafter Need #869

Closed
RehanSaeed opened this issue May 19, 2021 · 14 comments · Fixed by #1132
Closed

What GitHub Actions permissions does Release Drafter Need #869

RehanSaeed opened this issue May 19, 2021 · 14 comments · Fixed by #1132

Comments

@RehanSaeed
Copy link

GitHub has released new permissions for GitHub actions. You can make a repo/organisation default to minimal read only permissions by default which causes release drafter to stop working. What permissions does release deafter need?

https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
@jetersen
Copy link
Member

Your welcome to experiment 😅

I presume contents write and pull request read

@RehanSaeed
Copy link
Author

That worked, thanks!

permissions:
      contents: write
      pull-requests: read

RehanSaeed added a commit to RehanSaeed/release-drafter that referenced this issue May 19, 2021
@RehanSaeed
Add GitHub Actions Permissions
689f9a5 
Fixes release-drafter#869
@RehanSaeed RehanSaeed mentioned this issue May 19, 2021
Closed
@RehanSaeed
Copy link
Author

Looks autolabeler stops working if I use:

permissions:
  contents: write
  pull-requests: read

Trying to work out what I need to add to get that to work.

@RehanSaeed RehanSaeed reopened this May 26, 2021
@jetersen
Copy link
Member

jetersen commented May 26, 2021
edited

You most likely need pull-requests write to add labels

@RehanSaeed
Copy link
Author

Tried that but it didn't seem to do the trick.

https://github.com/RehanSaeed/FastestNuGet/blob/main/.github/workflows/release-drafter.yml

@jetersen
Copy link
Member

Did you try to add issues: read or write?

@RehanSaeed
Copy link
Author

I tried permissions: write-all and it still didn't work for some reason. Not sure what's wrong.

@jetersen
Copy link
Member

maybe labels are not covered by their current permission scheme

@hugovk hugovk mentioned this issue Jun 6, 2021
Merged
@JimMadge JimMadge mentioned this issue Jun 14, 2021
Closed
@RehanSaeed RehanSaeed mentioned this issue Jun 24, 2021
Merged
@Nef10 Nef10 mentioned this issue Sep 4, 2021
Open
@jetersen
Copy link
Member

jetersen commented Sep 6, 2021

@RehanSaeed was this successful?

@RehanSaeed
Copy link
Author

Almost. Auto labelling is still broken even if I give full permissions.

@jetersen
Copy link
Member

jetersen commented Sep 6, 2021

Might be an issue for GitHub? I don't feel comfortable suggesting this unless it also works for auto labeling.

@martinda
Copy link

I tried the permissions mentioned above but the Error: Resource not accessible by integration gets thrown every time. Then I looked at the effective GITHUB_TOKEN permission values in the workflow run, and all the permissions are set to read regardless of anything I specify in the yml file or in the Settings... Actions... Workflow Permissions config page. In this blog post, Github says that:

Pull requests from public forks are still considered a special case and will receive a read token regardless of these settings.

That might explain why it keeps failing. I wonder how projects that use the release drafter work around this.

@gilbertsoft
Copy link
Contributor

I tried the permissions mentioned above but the Error: Resource not accessible by integration gets thrown every time. Then I looked at the effective GITHUB_TOKEN permission values in the workflow run, and all the permissions are set to read regardless of anything I specify in the yml file or in the Settings... Actions... Workflow Permissions config page. In this blog post, Github says that:

Pull requests from public forks are still considered a special case and will receive a read token regardless of these settings.

That might explain why it keeps failing. I wonder how projects that use the release drafter work around this.

To enable write permissions for forks use the event pull_request_target instead of pull_request see https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#pull_request_target

@RehanSaeed
Copy link
Author

@gilbertsoft I tried pull_request_target here with the permissions below and found that auto labelling still doesn't work. Not sure what else I'm missing.

permissions:
contents: write
pull-requests: write

danyeaw added a commit to danyeaw/release-drafter that referenced this issue May 3, 2022
@danyeaw
Add permissions to README
ca78f85 
Closes release-drafter#869. Permissions based on analysis by https://app.stepsecurity.io/.
@danyeaw danyeaw mentioned this issue May 3, 2022
Merged
@Kirade Kirade mentioned this issue Jul 22, 2022
Merged
@mengesb mengesb mentioned this issue Sep 15, 2022
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@martinda @jetersen @RehanSaeed @gilbertsoft