Document GitHub fine-grained personal token permissions

BetaHuhn / deploy-to-vercel-action

🎬▲ Deploy your project to Vercel using GitHub Actions. Supports PR previews and GitHub deployments.

https://mxis.ch

MIT License

141 stars 71 forks source link

Document GitHub fine-grained personal token permissions #353

Open Siilwyn opened 1 year ago

Siilwyn commented 1 year ago

Thoughts on adding needed permissions to the readme?

After some trial and error it seems that the 'new' personal access tokens need the following permissions:

davidar commented 1 year ago

You can also use GITHUB_TOKEN with these permissions:

permissions: 
   contents: read 
   pull-requests: write 
   deployments: write

Siilwyn commented 1 year ago

@davidar oh that's possibly a lot better! No more generating tokens on a 'bot' GH account. Are there any downsides to this? I don't see it mentioned in the readme. Guess the GH PR comment author would be 'less nice'?

davidar commented 1 year ago

I haven't noticed any downsides, it just means the comments come from the "github-actions" bot

pm0u commented 4 months ago

You can also use GITHUB_TOKEN with these permissions:
permissions: 
   contents: read 
   pull-requests: write 
   deployments: write

is this a yaml config that we set somewhere or are you just noting the permissions needed when creating the fine grained token?

Edit: got it, hadn't seen this before: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

then you can just use the secret without having to generate anything https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow