search

redhat-plumbers-in-action / differential-shellcheck

🐚 GitHub Action for running ShellCheck differentially
GNU General Public License v3.0
53 stars 9 forks source link

Token permissions confusion #417

Closed jasonkarns closed 5 months ago

jasonkarns commented 5 months ago

Type of issue

other

Description

The readme seems to show conflicting information regarding the permissions necessary for the token.

In the sample workflow it indicates security-events: write is required for all workflows. (as opposed to private repo workflows).

But under the token docs, it contradicts that statement:

Token with the public_repo scope for public repositories only.

Describe the solution you'd like

Through trial and error it became clear that security-events: write is indeed necessary for public repos. (contradicting the docs for token in the readme) But only if using the action itself to upload? One could skip the upload, or use github's own codeql action to upload which would presumably only require contents: read for this action?

Either way, I think this confusion could be cleared up a bit.

jamacku commented 5 months ago

Thank you for reporting this documentation issue. It's indeed misleading.

security-events: write is required for all workflows. Unfortunately, the token section of the documentation wasn't updated accordingly.

jamacku commented 5 months ago

@jasonkarns, I would appreciate your review on:

Thank you