Do you actually need a user-generated GitHub PAT?

[jcbhmr]

I notice from the readme:

Unfortunately, ${{ github.token }} does not have access to updating wiki repositories, so it is necessary to create a new PAT.

I don't think this is true? I was under the impression from my own attempt at a sub-par wiki action https://github.com/jcbhmr/publish-to-github-wiki that you can just use the ${{ github.token }} as long as you have the content: write permission.

name: Test publish to own wiki
on:
  push:
    paths:
      - index.sh
      - action.yml
      - .github/workflows/test-publish-to-own-wiki.yml
      - wiki/**
concurrency: test-publish-to-own-wiki
jobs:
  test-publish-to-own-wiki:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      # This just uses the secrets.GITHUB_TOKEN (or github.token, both are equivalent)
      - uses: ./

Recently GitHub did change up their permissions defaults to make them no longer write-permissive by default which may have thrown things off? I have already been bitten by this: https://github.com/jcbhmr/devcontainer-features/issues/2

Am I completely wrong? Is there something I'm missing? 🤷‍♂️

[spenserblack]

First: I'd be happy to be proven wrong about this, since manually creating a PAT is a bit annoying 🙂

As far as I know, the default GitHub token available in actions (secrets.GITHUB_TOKEN/github.token) is limited to only being able to access the repo that triggered the action. In my experience, that limitation means it has read access to the wiki repository, since it's a public repository, but does not have write access, since it's a different remote URL.

If you could find a way to get this action to work without creating a PAT, and documented it, I'd be very grateful :pray:

[jcbhmr]

There's some more discussion about this that I had with @Andrew-Chen-Wang over in https://github.com/Andrew-Chen-Wang/github-wiki-action/issues/17 that is at least tangentially related to this

[Andrew-Chen-Wang]

Although it's not mentioned in any GitHub issues in my repo, I made the repo from inspo that you couldn't delete files from decathalon's action. Someone who beta tested said a GitHub pat is needed, so that's why I've got it in my repo as well.

[jcbhmr]

👍 @Andrew-Chen-Wang good to know! I'd love to contribute some wiki documentation about:

1. how the heck the GITHUB_TOKEN value is used when pushing to git (could also be applicable to PAT when pushing from your own PC using the git push cli)
2. what/how a user can/needs to use the permissions: ... github actions yml value to set the proper permissions (this seems to be a recurring issue https://github.com/Andrew-Chen-Wang/github-wiki-action/discussions/14#discussioncomment-2769855)

same for @spenserblack I'd love to help document stuff in your readme! ❤ more docs are more better

[jcbhmr]

After some investigative journalism (looking at what others have done) and research (reading the docs), I've come to the conclusion that you don't need a PAT to push to the wiki of a repo. You just need the content: write permission. This lets you push, force push, pull, etc. with the git endpoint at user/repo.wiki.git. Sometimes, git even caches the token for a particular origin, so you don't need to re-auth if you git clone! You can just git push and it works for that same origin!

This can be reflected in the readme refactor #9

[spenserblack]

If it's alright, would you be able to link to a successful workflow run that uses github.token so that I can be sure about this?

[jcbhmr]

Sure! Here's some of my research items:

• https://github.com/jcbhmr/publish-wiki-action-OLD/actions/runs/4370272621/workflow (uses the OLD "default write" permissions
• https://github.com/devcontainers-contrib/features/actions/runs/4405809069/workflow (used an older version of my action, but still no GITHUB TOKEN passed)

Here's what I mean by "old default write"

https://github.blog/changelog/2023-02-02-github-actions-updating-the-default-github_token-permissions-to-read-only/

Now the default is the second "readonly" option, not the read/write one