Access token permissions required to trigger a workflow

According to this documentation :

we can build a PAT that is able to trigger workflows.
The question is, what permissions should the token be granted for this purpose ?
Seeing there are quite a few available : https://docs.github.com/assets/images/help/settings/token_scopes.gif

This question has relevance with respect to this GH action, where the author says the documentation (i.e. first link above) is too vague to be able to answer on this topic.

It depends on what kind of event you want to trigger. The point of the documentation that says GITHUB_TOKEN won’t trigger new workflows is that regular repository activity (e.g. pushing a new commit) authenticated with the GITHUB_TOKEN won’t cause additional workflows listening for that kind of event to run.

The documentation for the action you linked says it creates a “repository dispatch” event. The documentation for the create a repository dispatch event API endpoint says:

This endpoint requires write access to the repository by providing either:

I don’t know the action, so please consider whether you trust it enough to give it the kind of privileges that go with the repo scope.

1 Like

ok thank you for the answer.
I guess it amounts to giving public_repo for public repository or more basically repo for private repos.
The action seems fine (nothing especially strange in the code) and serves a useful purpose to trigger rebuild workflows across several repos. I’m unaware of what other strategies can allow to do that. So I think I’ll trust it.

1 Like