search

GitHubSecurityLab / actions-permissions

GitHub token permissions Monitor and Advisor actions
MIT License
256 stars 20 forks source link

Improve handling of `unknown` permissions #27

Open jsoref opened 9 months ago

jsoref commented 9 months ago

The current code is unhelpful for various reasons: https://github.com/GitHubSecurityLab/actions-permissions/blob/3dcbd6bb270cd62b67703a6c1aef904ace6a3bf3/monitor/index.js#L76-L77

  1. It generates markdown with a workflow snippet like:

    Minimal required permissions:

    permissions:
  security-events: write
  pull-requests: read
  unknown: unknown

    But if someone were to add this permission, it'd result in the workflow failing:

    image

  2. It doesn't use at least ::warning or similar to call out the item https://github.com/jsoref/check-spelling/actions/runs/7331431111/job/19964051747#step:12:2

  3. The grammar in the readme is off: https://github.com/GitHubSecurityLab/actions-permissions/blob/8ecfc0d800e75e5774f8eebc81b3f48f214b8ca4/monitor/README.md?plain=1#L62

    -It would requires parsing
+It would require parsing

Expected results

  1. Don't generate invalid workflow content
  2. Do use # ... in the generated workflow content
  3. Do surface the api call(s) -- if you're afraid of surfacing things, provide the client User-Agent, it should be possible to at least identify the objects being queried
JarLob commented 3 months ago

Thank you for the feedback. I have created https://github.com/GitHubSecurityLab/actions-permissions/pull/29 for unknown permissions. As for Do surface the api call(s) have tried https://github.com/GitHubSecurityLab/actions-permissions/blob/f62d32cd684392a758c627a58e0756b734bd54fd/monitor/README.md?plain=1#L46? It provides much more logging.