Merge pull request #124 from peter-evans/token-update

Token update

.github/workflows/ci.yml

@@ -14,6 +14,7 @@ on:
 permissions:
   pull-requests: write
   contents: write
+  actions: write
 
 jobs:
   build:
@@ -60,14 +61,12 @@ jobs:
       - name: Test repository dispatch
         uses: ./
         with:
-          token: ${{ secrets.REPO_ACCESS_TOKEN }}
           event-type: tests
           client-payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}"}'
 
       - name: Test repository dispatch (default payload)
         uses: ./
         with:
-          token: ${{ secrets.REPO_ACCESS_TOKEN }}
           event-type: tests
 
   package:

README.md

@@ -6,6 +6,22 @@ A GitHub action to create a repository dispatch event.
 
 ## Usage
 
+Dispatch an event to the current repository by elivating the permissions of the default `GITHUB_TOKEN`.
+```yml
+permissions:
+  actions: write
+
+jobs:
+  repositorydispatch:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Repository Dispatch
+        uses: peter-evans/repository-dispatch@v2
+        with:
+          event-type: my-event
+```
+
+Dispatch an event to a remote repository using a `repo` scoped [Personal Access Token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token).
 ```yml
       - name: Repository Dispatch
         uses: peter-evans/repository-dispatch@v2
@@ -18,15 +34,23 @@ A GitHub action to create a repository dispatch event.
 
 | Name | Description | Default |
 | --- | --- | --- |
-| `token` | (**required**) A `repo` scoped GitHub [Personal Access Token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token). See [token](#token) for further details. | |
+| `token` | (**required**) `GITHUB_TOKEN` (permissions `actions: write`) or a `repo` scoped [Personal Access Token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token). See [token](#token) for further details. | `GITHUB_TOKEN` |
 | `repository` | The full name of the repository to send the dispatch. | `github.repository` (current repository) |
 | `event-type` | (**required**) A custom webhook event name. | |
 | `client-payload` | JSON payload with extra information about the webhook event that your action or workflow may use. | `{}` |
 
-#### `token`
+#### Token
 
-This action creates [`repository_dispatch`](https://developer.github.com/v3/repos/#create-a-repository-dispatch-event) events.
-The default `GITHUB_TOKEN` does not have scopes to do this so a `repo` scoped [PAT](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) created on a user with `write` access to the target repository is required.
+This action creates [`repository_dispatch`](https://docs.github.com/en/rest/repos/repos#create-a-repository-dispatch-event) events.
+The default `GITHUB_TOKEN` token can only be used if you are dispatching the same repository that the workflow is executing in.
+In this case you must [elevate the token permissions](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs) to allow the dispatch.
+
+```yaml
+permissions:
+  actions: write
+```
+
+To dispatch to a remote repository you must create a [Personal Access Token (PAT)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with the `repo` scope and store it as a secret.
 If you will be dispatching to a public repository then you can use the more limited `public_repo` scope.
 
 ## Example

action.yml

@@ -2,8 +2,8 @@ name: 'Repository Dispatch'
 description: 'Create a repository dispatch event'
 inputs:
   token:
-    description: 'A repo scoped GitHub Personal Access Token'
-    required: true
+    description: 'GITHUB_TOKEN or a `repo` scoped Personal Access Token (PAT)'
+    default: ${{ github.token }}
   repository:
     description: 'The full name of the repository to send the dispatch.'
     default: ${{ github.repository }}