Fix Permissions on Publish Release Artifacts Job#3511
Fix Permissions on Publish Release Artifacts Job#3511felixhandte merged 1 commit intofacebook:devfrom
Conversation
Publishing release artifacts requires the `contents` permission, as documented by: https://docs.github.com/en/rest/overview/permissions-required-for-github-apps.
| permissions: | ||
| contents: read # to fetch code (actions/checkout) | ||
| actions: write # to attach binaries to release artifacts (skx/github-action-publish-binaries) | ||
| contents: write # to fetch code and upload artifacts |
There was a problem hiding this comment.
It's more a question at this point,
I'm just curious to notice that
a local permission setting contents: write within publish-release-artifacts
seems to overwrite, or at least give more rights than the global permissions: read-all just above.
I was wondering if this would allow an included script or action to sneakily "update" permissions in its own code even when permissions are set to read-all at the beginning.
There was a problem hiding this comment.
I believe not--I believe the included action can't modify the job's permission.
A PR could change the permissions though. Supposedly we are protected from that though, as PRs from (first-time?) contributors require approval before actions are run. So we can inspect to make sure they aren't messing with the action definitions.
3 participants
Publishing release artifacts requires the
contentspermission, as documented by: https://docs.github.com/en/rest/overview/permissions-required-for-github-apps.Tested by authoring a release on my fork.