Open mhuijgen opened 1 year ago
This permission example helped me lot to configure Scorecard in our GHES instance with a private repo. Should be definitely part of the documentation!!!
If someone is using a PAT and is getting the corresponding with the default config on a private repo:
Error: RunScorecard: internal error: ListCommits:error during graphqlHandler.setup: internal error: githubv4.Query: Resource not accessible by personal access token
I had to grant the following extra permissions to my fine grained PAT:
All three seem to be necessary.
It seems that the default permissions given as example in the docs or on the default template when you add the action to your repo are not sufficient on at least private repo's. I have not tested it on a public one.
It seems the default read-only permissions on workflow level has no influence anymore if job specific permissions are set. I had to add the following to allow the action to run at all without erroring out:
Without these extra permissions it fails very fast with the following error:
Also I noticed that without the permission
The rule with ruleid SASTID is not working, it auto closes this security issue if I remove this permission.
Full workflow that works for us using the default GITHUB_TOKEN (no checks on branch protection or webhooks since that would require a PAT).