Clarify permissions for the PAT token

[yanntm]

While the documentation explains how to setup a personal access token, it is unclear what permissions the token needs to be granted.

As this screenshot show, there are quite a few possibilities.

Do we need full repo access, only notifications ?

https://docs.github.com/assets/images/help/settings/token_scopes.gif

[schickm]

Yeah...even the Github docs on the matter don't really clarify it!

https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token

[yanntm]

I gave mine only "public_repo" and that worked for my repos (which are indeed public).

Yes, I guess we should escalate and make an issue on that "documentation" repo, if they don't know, we can't really spend time guessing.

[yanntm]

ok we'll see if someone answers. https://github.community/t/access-token-permissions-required-to-trigger-a-workflow/183180

[mvasigh]

Hey all, thanks for the links and for opening the community thread. I've left out more specific details in docs for this action partly because I have no idea what the bare minimum permissions required are. As @schickm pointed out, the best source I had was Github's documentation which only suggests enabling the repo scope, but doesn't get more specific about what parts of the scope are necessary.

It doesn't look like the linked community thread gets more into specifics, but if any of you have more knowledge or form a better understanding of the permission model, please let me know or open a PR!

[mvasigh]

That said I did just notice that I didn't mention the repo scope in README, went ahead and fixed that.

[yanntm]

So given the answer on the forum I think repo for private repositories, or simply public_repo if the target of the notification is a public repo is minimal and sufficient token permissions.

[yanntm]

I'm fine for closing the issue, thanks for building this action.

[mvasigh]

Sounds good to me, thanks for bringing this up!