Closed chanceaclark closed 3 weeks ago
Latest commit: 77bda186991085190b1157e40498839f77af39a2
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
What/why?
After doing a bit more digging into permissions for GitHub Actions, by default we are given read/write permissions for most scopes: https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
However, when we set the
permissions
key, it unsets the rest of the scope to no access:Changesets works with the default permissions and they don't provide a lot of guidance on which scopes they need. The existing scopes (pre-pull request) were part of some speculation in a GitHub issue on what changesets needs, but it's not the case anymore.
For the
actions/deploy-page
action we have every scope we need in the default permissions, besidesid-token
which we need to verify that the deployment was successful. This gives the token all the permissions it need in order to run the action.