search

rhysd / actionlint

:octocat: Static checker for GitHub Actions workflow files
https://rhysd.github.io/actionlint/
MIT License
2.49k stars 149 forks source link

False positive: `attestations` permission #421

Closed woodruffw closed 3 weeks ago

woodruffw commented 3 weeks ago

First of all, thanks for this tool!

actionlint is currently flagging workflows that set the attestations permission, which was recently added: https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/. This should be allowed instead, since it's now a well-known permission.

Here's an example CI failure caused by actionlint: https://github.com/Homebrew/homebrew-core/actions/runs/8992021433/job/24700868295?pr=171085

And the concrete error:

Run actionlint
Error: .github/workflows/publish-commit-bottles.yml:247:7: unknown permission scope "attestations". all available permission scopes are "actions", "checks", "contents", "deployments", "discussions", "id-token", "issues", "packages", "pages", "pull-requests", "repository-projects", "security-events", "statuses" [permissions]
    |
247 |       attestations: write # for `generate build provenance`
    |       ^~~~~~~~~~~~~
Error: Process completed with exit code 1.
woodruffw commented 3 weeks ago

Whoops, this was already fixed in https://github.com/rhysd/actionlint/commit/1f0efe145326c0886ba32791ffc9d70e12ae6107. Sorry for the noise!