Permissions nesecary to comment on a PR #26644
-
Been working on a workflow that will comment based on changes in the PR. But when the PR comes from the outside or Dependabot it doesn’t have all the write permissions the repo’s owner has. Does anyone know which permissions have to be set to what to make an action be allowed to comment on a PR, when that PR isn’t coming from the repo owner? |
Beta Was this translation helpful? Give feedback.
Replies: 14 comments 8 replies
-
Dependabot is fun. Technically according to the documentation: docs.gitpro.ttaallkk.topCommenting on an issue when a label is added - GitHub Docs//docs.github.com/en/actions/guides/commenting-on-an-issue-when-a-label-is-added All you need is:
Practically, you need a PAT docs.gitpro.ttaallkk.topCreating a personal access token - GitHub Docs//docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token
And practically, the scopes don’t align well with Scopes for OAuth Apps - GitHub Docs//docs.github.com/en/developers/apps/scopes-for-oauth-apps What I’ve managed to do in general is rely on Keeping your GitHub Actions and workflows secure: Preventing pwn requestsIn this article, we’ll discuss some common security malpractices for GitHub Actions and workflows, and how to best avoid them. Our examples are based on real-world GitHub workflow implementation vulnerabilities the GitHub Security Lab has reported to... Because if you mess up, the consequences are pretty grave. It’d be really nice if there was a |
Beta Was this translation helpful? Give feedback.
-
Thanks! Been really hoping to avoid using a PAT because that widens the attack possibilities with it significantly rather than reducing it. And just setting the Still feels as way to much work for something that should be handled more securely by the platform. Right now having to jump through hoops makes it to easy to implement something insecurely. |
Beta Was this translation helpful? Give feedback.
-
Yeah, I’m currently playing with variations. I’m still working on getting all of my pieces to support I agree, it’s incredibly inelegant. Although, one complaint people have about my thing is that it leaves too many comments, whereas a single running comment would be nice, so it’s possible that I’ll want to use that action (I’ve been thinking about it for the past week or two). |
Beta Was this translation helpful? Give feedback.
-
So I currently came to this after a Twitter thread with one of the Dependabot people:
For reference that Twitter thread can be found here: https://twitter.com/WyriHaximus/status/1393679576828686340 |
Beta Was this translation helpful? Give feedback.
-
Btw, I’m shocked to see anyone using
actions/checkoutAction for checking out a repo. Contribute to actions/checkout development by creating an account on GitHub. v1 has been dead since:
Upgrade checkout to v1.1.0 to better support scripting git. (#56)
* Upgrade checkout to v1.1.0 to better support scripting git.
|
Beta Was this translation helpful? Give feedback.
-
Why? That commit is included in the |
Beta Was this translation helpful? Give feedback.
-
Because
Release v2.0.0 · actions/checkoutImproved fetch performance The default behavior now fetches only the commit being checked-out Script authenticated git commands Persists the input token in the local git config |
Beta Was this translation helpful? Give feedback.
-
Ow absolutely, most of my workflows (that I haven’t forgotten to update) are running on |
Beta Was this translation helpful? Give feedback.
-
I should note that while commenting requires permissions, if all you want is to provide a report, there’s a new feature called a job summary:
Supercharging GitHub Actions with Job Summaries | The GitHub BlogYou can now output and group custom Markdown content on the Actions run summary page. Est. reading time: 3 minutes … and it doesn’t require additional permissions. |
Beta Was this translation helpful? Give feedback.
-
Does it support updating the same summary if you push again to the same PR? |
Beta Was this translation helpful? Give feedback.
-
Summaries are assigned to jobs, so each job gets its own summary. Roughly it ends up being a non-issue. Note: I haven’t deployed this feature (for various reasons). I might be able to in June or July. |
Beta Was this translation helpful? Give feedback.
-
Also still need to check it out, but if only the latest summary is shown on the PR page it could work. Will see if I can have a try at this soon |
Beta Was this translation helpful? Give feedback.
-
I believe they’re basically only reachable via the ✅/❌ for the commit or the summary box at the bottom of the PR. |
Beta Was this translation helpful? Give feedback.
-
@WyriHaximus do you have any feedback about this ? (usage of summary OR good way to put comment on PR with github action from forked repo) I looked at https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ and I ask my self if there is a better way than Edit: I just see that you propose |
Beta Was this translation helpful? Give feedback.
So I currently came to this after a Twitter thread with one of the Dependabot people:
For reference that Twitter thread can be found here: https://twitter.com/WyriHaximus/status/1393679576828686340