cohix
commented
2 years ago I thought the github_token that every action runner has access to has the public_repo scope?
Closed javorszky closed 2 years ago
cohix
commented
2 years ago I thought the github_token that every action runner has access to has the public_repo scope?
javorszky
commented
2 years ago I thought the github_token that every action runner has access to has the public_repo scope?
Sadly it isn't. I updated the test workflow to use the github token, and got an issue for resource inaccessible to the integration error, something that did not happen in the previous successful ones: https://github.com/javorszky/workflow-test-source/runs/5033773891?check_suite_focus=true
Github says there are a few ways to reach the token here: https://docs.github.com/en/actions/security-guides/automatic-token-authentication
I tried both secrets.GITHUB_TOKEN and github.token, and both had the inaccessible issue.
The default permissions for the github token available to the workflows are these: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
We can also elevate / lower the permissions of the token from within the workflow itself: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
The permissions needed for the dispatch endpoint are either
I tried with setting the contents permission to write as well (metadata is always at least read), but got the same inaccessible error.
I think the reason for that is when I elevate the contents to write, it still refers to the repository that the workflow is running in, and I'd need to change the context of another repository.
cohix
commented
2 years ago @javorszky interesting... I'm ok with creating a personal access token for this, the only issue is that they expire, and need to be replaced regularly, which is something we may forget or neglect.
That said, I created a token (set to expire in 6 months), and added it to this repo under RELEASE_GITHUB_TOKEN... go nuts :)
cohix
commented
2 years ago Updated the name of the secret to be REPOTOKEN
Please add something to the knowledge base in Notion about what this is, what it's used for, and how to refresh it :)
javorszky
commented
2 years ago Awesome, thank you! I'll get to it soon.
javorszky
commented
2 years ago Knowledge base updated. I'm merging this :)
Closes #182
Adds workflow on release for subo to send data to the homebrew-subo repository to update the homebrew formula.
The three pieces of data to be sent are tag, sha256 of the release, and the url of the newly created release.
These are used in the formula. See https://github.com/suborbital/homebrew-subo/pull/4
The only niggle is that the job needs a personal access token with the public_repo scope. See https://github.com/peter-evans/repository-dispatch#token
That needs to be saved as REPOTOKEN.