Disclaimer
Please point me elsewhere if this isn't the right place to raise this. It seems like the runner only dumps a map it gets from the job context but I couldn't find where system.github.token.permissions is managed.
Describe the bug
When a workflow sets the id-tokenpermission the logs do not include it when reporting what permissions the GITHUB_TOKEN had. This is undesirable from a security and auditing perspective.
Related, but less important: the Attestations [edit: it looks like this was released yesterday] and Discussions permissions which are logged do not appear to be documented.
To Reproduce
Add the below permissions block to a workflow (e.g. a simple example)
permissions:
id-token: write
and check the logs of the workflow run to see that the permissions are reported as
GITHUB_TOKEN Permissions
Metadata: read
Expected behavior
The logs would include (for instance)
This was tested on self-hosted runners in an EMU instance and on GitHub runners in a public repository. The reported version from the public repository are
Current runner version: '2.316.0'
Operating System
Ubuntu
[2](https://github.com/TapdancingRodent/stunning-octo-potato/actions/runs/8894662891/job/24423388853#step:1:2)2.04.4
LTS
Runner Image
Image: ubuntu-22.04
Version: 20240422.1.0
Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240422.1/images/ubuntu/Ubuntu2204-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240422.1
Runner Image Provisioner
2.0.[3](https://github.com/TapdancingRodent/stunning-octo-potato/actions/runs/8894662891/job/24423388853#step:1:3)69.1
Disclaimer Please point me elsewhere if this isn't the right place to raise this. It seems like the runner only dumps a map it gets from the job context but I couldn't find where
system.github.token.permissionsis managed.Describe the bug When a workflow sets the
id-tokenpermission the logs do not include it when reporting what permissions theGITHUB_TOKENhad. This is undesirable from a security and auditing perspective.Related, but less important: the
AttestationsDiscussionspermissions which are logged do not appear to be documented.To Reproduce Add the below permissions block to a workflow (e.g. a simple example)
and check the logs of the workflow run to see that the permissions are reported as
Expected behavior The logs would include (for instance)
Runner Version and Platform
This was tested on self-hosted runners in an EMU instance and on GitHub runners in a public repository. The reported version from the public repository are
What's not working?
See report body above
Job Log Output
See report body above
Runner and Worker's Diagnostic Logs
N/A