You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I don't see anything in this action's docs that explain why read-all is necessary. Does the action require read access to all possible permissions or is that a convenience instead of enumerating the specific permissions required?
If read-all is necessary, I'd be happy to submit a PR to add a mention in the docs.
The text was updated successfully, but these errors were encountered:
It is likely a matter of convenience, with a dash of future proofing further updates. The answer is likely different for public vs. private repos as well, and it's something we haven't done a good job of documenting. GitHub has a handy auditing tool for determining least privilege for their REST API, but Scorecard uses the graphQL API which isn't supported by the monitor.
At the very least, this past issue implies contents and actions are useful. Skimming the permission list, I could see a few more being needed depending on the check:
checks
issues
pull-requests
statuses
being required in some scenarios.
But certain feature requests means new permissions may be used in the future, such as attestations.
Thanks for the info. I'll see if the GUAC maintainers are interested in experimenting with me to see if we can identify a minimum level of permissions. If so, I'll contribute that knowledge upstream.
I'm using zizmor to audit GUAC's GitHub workflows and the scorecard workflow reports excessive permissions:
I don't see anything in this action's docs that explain why
read-all
is necessary. Does the action require read access to all possible permissions or is that a convenience instead of enumerating the specific permissions required?If
read-all
is necessary, I'd be happy to submit a PR to add a mention in the docs.The text was updated successfully, but these errors were encountered: