-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update GHA token permissions for generic container workflow #1258
Conversation
Signed-off-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: Ian Lewis <ianlewis@google.com>
Note that it's debatable that long-lived PAT tokens are a more secure option to ephemeral GITHUB_TOKEN. But we can't have both. Starting as you suggest in this PR means we can later add a |
Yeah, I understand that. This at least makes it so you don't have to give |
BTW, I tried to pass the |
the fine-grained tokens seem to be scoped in time and always expire (at least in the beta), which makes them unsuitable for workflows. (We can't expect uses to update PATs every month or so)
I just meant that GH should be able to check the permissions given by the caller at runtime on access to actions that need these permissions. Technically they should be able to do that, without doing a validation statically. |
Yeah, that seems odd if they allow more granular scopes, users should be more comfortable with having long-term tokens. Maybe that's some feedback for GitHub...
Yeah, I explicitly tried that and it didn't seem to work. I set The only solution I can think of is to make a separate workflow just for ghcr.io that requests |
…lsa-framework#1258)" This reverts commit 38f9f24. Signed-off-by: Ian Lewis <ianlewis@google.com>
Fixes #1256
Fixes #1257
Updates #547
package: write
permissions on the GHA token. Instead we require users of ghcr.io to login using a PAT.