rayan/repository-dispatch
1
0
Fork 0
mirror of https://github.com/peter-evans/repository-dispatch.git synced 2026-06-11 11:21:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Information related to tokens in README

Browse Source 
Fix documentation related to tokens. The secrets.GITHUB_TOKEN provided by the GitHub Actions App can do everything related to the repo if we elevate its permissions, including calling workflow_dispatch and repository_dispatch.

Some people in my organization are using PAT's instead of the secrets.GITHUB_TOKEN when using this action because of this README suggestion, even when they are calling the same repository. Using PATs in that contexts provides unnecessary security risks.
This commit is contained in:
Vinícius Vargas
2022-10-10 05:37:25 -03:00
committed by GitHub
parent c8e633a77e
commit 77fb463884
1 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
README.md
View File

@@ -18,15 +18,22 @@ A GitHub action to create a repository dispatch event.
| Name | Description | Default |
| --- | --- | --- |
| `token` | (**required**) A `repo` scoped GitHub [Personal Access Token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token). See [token](#token) for further details. | |
| `token` | (**required**) A GitHub access token with `actions: write` permission to the repository being dispatched. | |
| `repository` | The full name of the repository to send the dispatch. | `github.repository` (current repository) |
| `event-type` | (**required**) A custom webhook event name. | |
| `client-payload` | JSON payload with extra information about the webhook event that your action or workflow may use. | `{}` |
#### `token`
This action creates [`repository_dispatch`](https://developer.github.com/v3/repos/#create-a-repository-dispatch-event) events.
The default `GITHUB_TOKEN` does not have scopes to do this so a `repo` scoped [PAT](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) created on a user with `write` access to the target repository is required.
This action creates [`repository_dispatch`](https://developer.github.com/v3/repos/#create-a-repository-dispatch-event) events. The default `GITHUB_TOKEN`
token can only be used if you are dispatching the same repo. In this case you must assign the permission `action: write` to the token, see [permissions api](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs). Example:
```yaml
permissions:
actions: write
```
The solution to trigger other repositories is to manually create a PAT and store it as a secret e.g. `${{ secrets.PERSONAL_TOKEN }}`.
If you will be dispatching to a public repository then you can use the more limited `public_repo` scope.
## Example