search

bigcommerce / big-design

Design system that powers the BigCommerce ecosystem.
https://bigcommerce.github.io/big-design
Other
46 stars 63 forks source link

chore: give write-all permissions for releasing #1513

Closed chanceaclark closed 3 weeks ago

chanceaclark commented 3 weeks ago

What/why?

After doing a bit more digging into permissions for GitHub Actions, by default we are given read/write permissions for most scopes: https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

However, when we set the permissions key, it unsets the rest of the scope to no access:

When the permissions key is used, all unspecified permissions are set to no access, with the exception of the metadata scope, which always gets read access.

Changesets works with the default permissions and they don't provide a lot of guidance on which scopes they need. The existing scopes (pre-pull request) were part of some speculation in a GitHub issue on what changesets needs, but it's not the case anymore.

For the actions/deploy-page action we have every scope we need in the default permissions, besides id-token which we need to verify that the deployment was successful. This gives the token all the permissions it need in order to run the action.

changeset-bot[bot] commented 3 weeks ago

⚠️ No Changeset found

Latest commit: 77bda186991085190b1157e40498839f77af39a2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR