Define permissions for the action

goreleaser / goreleaser-action

GitHub Action for GoReleaser

https://github.com/marketplace/actions/goreleaser-action

MIT License

865 stars 78 forks source link

Define permissions for the action #311

Closed naveensrinivasan closed 2 years ago

naveensrinivasan commented 3 years ago

GitHub recommends permissions for action https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/, this will reduce the attack vector.

The action should define default permission or provide recommendations as comments with the action.

hazcod commented 3 years ago

e.g.

  releasecode:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      packages: write

    steps:
    -
      name: Checkout
      uses: actions/checkout@v2
    -
      name: Unshallow
      run: git fetch --prune --unshallow
    -
      name: Set up Go
      uses: actions/setup-go@v2
    -
      name: Login to GitHub Container Registry
      uses: docker/login-action@v1
      with:
        registry: ghcr.io
        username: ${{ github.repository_owner }}
        password: ${{ secrets.GITHUB_TOKEN }}
    -
      name: Release
      uses: goreleaser/goreleaser-action@v2
      with:
        version: latest
        args: release --config=.github/goreleaser.yml
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        DOCKER_BUILDKIT: 1

crazy-max commented 3 years ago

This action itself does not require the secrets.GITHUB_TOKEN. I guess this secret is only used with the release creation by GoReleaser (cc @caarlos0).

caarlos0 commented 3 years ago

Indeed @crazy-max is correct.

caarlos0 commented 2 years ago

closing as explained above.

hazcod commented 2 years ago

Well yes, so it does need the permissions block since release is part of goreleaser?

caarlos0 commented 2 years ago

I think

permissions:
  contents: write

if you use the action token instead of a PAT

https://goreleaser.com/ci/actions/