From 77fb4638847c44d4efbb2aa33ebb476b4c94f484 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vin=C3=ADcius=20Vargas?= Date: Mon, 10 Oct 2022 05:37:25 -0300 Subject: [PATCH 1/2] Fix: Information related to tokens in README Fix documentation related to tokens. The secrets.GITHUB_TOKEN provided by the GitHub Actions App can do everything related to the repo if we elevate its permissions, including calling workflow_dispatch and repository_dispatch. Some people in my organization are using PAT's instead of the secrets.GITHUB_TOKEN when using this action because of this README suggestion, even when they are calling the same repository. Using PATs in that contexts provides unnecessary security risks. --- README.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 9c86df0..1374303 100644 --- a/README.md +++ b/README.md @@ -18,15 +18,22 @@ A GitHub action to create a repository dispatch event. | Name | Description | Default | | --- | --- | --- | -| `token` | (**required**) A `repo` scoped GitHub [Personal Access Token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token). See [token](#token) for further details. | | +| `token` | (**required**) A GitHub access token with `actions: write` permission to the repository being dispatched. | | | `repository` | The full name of the repository to send the dispatch. | `github.repository` (current repository) | | `event-type` | (**required**) A custom webhook event name. | | | `client-payload` | JSON payload with extra information about the webhook event that your action or workflow may use. | `{}` | #### `token` -This action creates [`repository_dispatch`](https://developer.github.com/v3/repos/#create-a-repository-dispatch-event) events. -The default `GITHUB_TOKEN` does not have scopes to do this so a `repo` scoped [PAT](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) created on a user with `write` access to the target repository is required. +This action creates [`repository_dispatch`](https://developer.github.com/v3/repos/#create-a-repository-dispatch-event) events. The default `GITHUB_TOKEN` +token can only be used if you are dispatching the same repo. In this case you must assign the permission `action: write` to the token, see [permissions api](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs). Example: +```yaml +permissions: + actions: write +``` + +The solution to trigger other repositories is to manually create a PAT and store it as a secret e.g. `${{ secrets.PERSONAL_TOKEN }}`. + If you will be dispatching to a public repository then you can use the more limited `public_repo` scope. ## Example From 3c4e552d1053f3fce9b9acaa7e493a51a058abaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vin=C3=ADcius=20Vargas?= Date: Mon, 10 Oct 2022 05:38:56 -0300 Subject: [PATCH 2/2] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1374303..ce58fb1 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ permissions: actions: write ``` -The solution to trigger other repositories is to manually create a PAT and store it as a secret e.g. `${{ secrets.PERSONAL_TOKEN }}`. +The solution to trigger other repositories is to manually create a [PAT](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) and store it as a secret e.g. `${{ secrets.PERSONAL_TOKEN }}`. If you will be dispatching to a public repository then you can use the more limited `public_repo` scope.