Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove id-token: read from available permissions #34306

Merged
merged 9 commits into from
Aug 20, 2024

Conversation

janbrasna
Copy link
Contributor

@janbrasna janbrasna commented Aug 14, 2024

There are confusions about what id-token: read means:

This aims to remove any ambiguity about the actual meaning of the values.

Why:

Closes: #33483

What's being changed (if available, include any code snippets, screenshots, or gifs):

Removes value not available to be set as per schema: https://github.com/actions/languageservices/blob/83bddd3332cb4dc988ded6784719527765619404/workflow-parser/src/workflow-v1.0.json#L1538-L1541

Also explains that write permission doesn't grant any write access to any resource, only to (request and) set the actual jwt for further consumption.

Check off the following:

  • I have reviewed my changes in staging, available via the View deployment link in this PR's timeline (this link will be available after opening the PR).

    • For content changes, you will also see an automatically generated comment with links directly to pages you've modified. The comment won't appear if your PR only edits files in the data directory.
  • For content changes, I have completed the self-review checklist.

@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Aug 14, 2024
Copy link
Contributor

github-actions bot commented Aug 14, 2024

Automatically generated comment ℹ️

This comment is automatically generated and will be overwritten every time changes are committed to this branch.

The table contains an overview of files in the content directory that have been changed in this pull request. It's provided to make it easy to review your changes on the staging site. Please note that changes to the data directory will not show up in this table.


Content directory changes

You may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.

Source Preview Production What Changed
actions/security-for-github-actions/security-guides/automatic-token-authentication.md fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure.md fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token.md fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
from reusable
actions/writing-workflows/workflow-syntax-for-github-actions.md fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
from reusable
actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
from reusable
actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-hashicorp-vault.md fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
fpt
ghec
ghes@ 3.14 3.13 3.12 3.11 3.10
from reusable

fpt: Free, Pro, Team
ghec: GitHub Enterprise Cloud
ghes: GitHub Enterprise Server

@nguyenalex836 nguyenalex836 added content This issue or pull request belongs to the Docs Content team actions This issue or pull request should be reviewed by the docs actions team waiting for review Issue/PR is waiting for a writer's review needs SME This proposal needs review from a subject matter expert and removed triage Do not begin working on this issue until triaged by the team labels Aug 15, 2024
@nguyenalex836
Copy link
Contributor

@janbrasna Thanks so much for opening a PR! I'll get this triaged for review ✨

Copy link
Contributor

Thanks for opening a pull request! We've triaged this issue for technical review by a subject matter expert 👀

Co-authored-by: Josh Gross <joshmgross@github.com>
@jc-clark
Copy link
Contributor

Thanks for this contribution @janbrasna! I'll go ahead and merge this.

@jc-clark jc-clark added this pull request to the merge queue Aug 20, 2024
Merged via the queue into github:main with commit 2f12ab5 Aug 20, 2024
44 checks passed
Copy link
Contributor

Thanks very much for contributing! Your pull request has been merged 🎉 You should see your changes appear on the site in approximately 24 hours. If you're looking for your next contribution, check out our help wanted issues

@janbrasna janbrasna deleted the fix/id-token-read branch August 20, 2024 19:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team needs SME This proposal needs review from a subject matter expert waiting for review Issue/PR is waiting for a writer's review
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Wrong possible id-token permissions types listed
4 participants