instructions a bit vague around access tokens

travis-infosec commented 1 month ago

Hello,

I'm attempting to use your system for pulling two private repos that are dependencies of the current one. I should be able to do this as my specialty is cryptology & security, but am having trouble with your documentation.

Assume repo A that has dependencies of repo B and C. Assume that I'm making all my changes in development branches.

In repo B, I have this in the develop branch in .github/access_token.yml (I kept widening the policy to try and get it to work, so this is not a permanent config)

origin: ORG_HERE/PROJ_A
statements:
  - subjects:
      - repo:${origin}:ref:refs/heads/main
      - repo:${origin}:ref:refs/heads/develop
      - repo:${origin}:ref:refs/tags/v*
      - repo:${origin}:environment:production
      - repo:${origin}:workflow_ref:${origin}/.github/workflows/ci.yml
      - repo:${origin}:workflow_ref:${origin}/.github/workflows/ci.yml@*
      - repo:${origin}:workflow_ref:${origin}/.github/workflows/ci.yml@refs/pull/234/merge
      - repo:${origin}:pull_request
    permissions: # https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps
      contents: read # read or write

And in repo C, I have this in develop branch:

origin: ORG_HERE/PROJ_A
statements:
  - subjects:
      - repo:${origin}:ref:refs/heads/main
      - repo:${origin}:ref:refs/heads/develop
      - repo:${origin}:ref:refs/tags/v*
      - repo:${origin}:environment:production
      - repo:${origin}:workflow_ref:${origin}/.github/workflows/ci.yml
      - repo:${origin}:workflow_ref:${origin}/.github/workflows/ci.yml@*
      - repo:${origin}:workflow_ref:${origin}/.github/workflows/ci.yml@refs/pull/234/merge
      - repo:${origin}:pull_request
    permissions: # https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps
      contents: read # read or write

In repo A, I had something like this:

      - name: Set up access to PROJ_B
        uses: qoomon/actions--access-token@v3
        id: access-token-PROJ_B
        with:
          repository: PROJ_B
          permissions: |
            contents: read
      - name: Checkout repo - PROJ_B
        uses: actions/checkout@v4
        with:
          repository: ORG_HERE/PROJ_B
          token: ${{ steps.access-token-PROJ_B.outputs.token }}
          path: PROJ_B
          ref: develop

However, I was getting the error that the action was denied by (ORG_HERE) owner policy.

There's not a lot more debug info in the stack trace - it was in merge... process ticks ... http request ... get access token. If you really need it I'll repro and scrub any company-specific info out of it.

I think that this is checking for a .github/access-token.yml in the main branch, and not finding it, and then falling back to the fact we don't have an owner policy repo set up, because none of your several StackOverflow comments mention having to set up an owner policy. Can you please confirm?

It's not clear at all what the owner policy is... so I'm a bit baffled - but your tool seems very useful!