Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: differentiate between package and contents permission in Token-Permission #1254

Closed
laurentsimon opened this issue Nov 13, 2021 · 5 comments
Closed

Feature: differentiate between package and contents permission in Token-Permission #1254

laurentsimon opened this issue Nov 13, 2021 · 5 comments
Assignees
@ristomcgehee
Labels
kind/enhancement New feature or request
Milestone
v5

Comments

@laurentsimon
Copy link
Contributor

We currently accepts package:write and contents:write if the workflow is a packaging workflow. We don't differentiate between a workflow that writes to a branch for the release (e.g. by pushing a binary for the tagged branch - needs contents) vs a workflow that pushes to a registry (need package).
@laurentsimon laurentsimon added the kind/enhancement New feature or request label Nov 13, 2021
@laurentsimon laurentsimon added this to the milestone v5 milestone Feb 15, 2022
@ossf ossf deleted a comment from github-actions bot Feb 15, 2022
@laurentsimon laurentsimon mentioned this issue Feb 15, 2022
Closed
5 tasks
@ristomcgehee
Copy link
Contributor

To make sure I understand this issue:

What this would involve is breaking up isPackagingWorkflow into separate methods, one for pushing to a registry (such as gradle.*publish, docker/build-push-action) and one for publishing a release on GitHub (such as goreleaser/goreleaser-action, relekang/python-semantic-release). Then we'd only ignore a packages: write permission for jobs that push to a registry, and we'd only ignore a contents: write permission for jobs that release on GitHub. Am I describing this accurately?

@laurentsimon
Copy link
Contributor Author

you're correct. I'm just not 100% sure whether some actions can do both or not.

@ristomcgehee
Copy link
Contributor

I suppose I can always run the workflow in a test environment to see which permissions it needs. I'll structure the code in such a way that if an action does need both packages: write and contents: write, it won't have its points reduced.

I'll work on this issue.

@ristomcgehee ristomcgehee self-assigned this Feb 19, 2022
@laurentsimon
Copy link
Contributor Author

Awesome, thanks!

@ristomcgehee ristomcgehee mentioned this issue Feb 19, 2022
Merged
2 tasks
@ristomcgehee
Copy link
Contributor

Completed in #1663.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ristomcgehee ristomcgehee

Labels
kind/enhancement New feature or request
Projects
None yet
Milestone
v5
Development

No branches or pull requests
2 participants
@ristomcgehee @laurentsimon