-
Notifications
You must be signed in to change notification settings - Fork 60.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong possible id-token permissions types listed #33483
Comments
Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines. |
@cmaster11 Thank you for opening this issue! I'll get this triaged for review ✨ |
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
My guess is that it can become TL;DR: — Originally posted by @janbrasna in #32320 (comment):
|
Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀 |
👋 Hello from Actions Engineering, I can confirm that "id-token": {
"type": "permission-level-write-or-no-access",
"description": "Token to request an OpenID Connect token."
}, This permission is only used for creating OIDC tokens, there are no resources to read. |
@joshmgross 🤙 Yo, thanks for confirming! May I ask what happens if one sets |
Now it is clear it can't be set to "read", but there's still the confusion about why it is documented (and confirmed by staff on several occasions) to default to "read" in some cases, see: automatic-token-authentication#permissions-for-the-github_token ("Maximum access for pull requests from public forked repositories") |
👋 Hey @janbrasna, sorry for the confusion there.
That "Maximum access for pull requests from public forked repositories" section should list |
That should be "default value issued to
There's no functional difference between these two because there are no |
Lovely. Thanks for confirming. That finally makes sense and I thought this should be the case, but didn't want to make the call (esp. since it's been around like this basically from its inception ~3yrs ago…;)) @joshmgross If I can be so bold, I'd love a fact-check from such an SME on PR #34306 reflecting this if you wouldn't mind someday… Appreciate it. |
Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
What part(s) of the article would you like to see updated?
In the Defining access for the GITHUB_TOKEN scopes section, the
id-token
permission is listed withread|write|none
, but that permission cannot be set toread
.Trying to do so will produce:
Probably you want to list
write|none
?I see in https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token that it also lists the
read
permission and a thread that mentions it. Is the read permission available ONLY in specific conditions?Additional information
No response
The text was updated successfully, but these errors were encountered: