Elevante GITHUB_TOKEN permissions in pull_request_review workflow #26651
-
Is it possible to elevate the permissions for the default GITHUB_TOKEN in a pull_request_review workflow? I have a workflow that assigns write access to the token for the issue_comment event type, but the same workflow only has read access when triggered from a pull_request_review. The pull request originates from a fork.
Elevating permissions works for a pull_request_target event and since pull_request_review also runs from the base ref, and doesn’t use the code from the pull request, I hoped that it would also be safe to elevate permissions. I can’t tell if I’m doing something wrong, there’s a bug or gap, or if I’m misunderstanding the pull_request_target event and it doesn’t actually use the base ref instead of the pr ref? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
carolynvs:
According to the |
Beta Was this translation helpful? Give feedback.
-
Shoot, yeah I see that I was reading the doc incorrectly now. Too bad there isn’t a pull_request_review_target event. 😃 Maybe one day more *_target events will be available so that people can safely kick off workflows based on pull request activity. |
Beta Was this translation helpful? Give feedback.
According to the
pull_request_review
event documentation thepull_request_review
event runs on the modified code (note theGITHUB_REF
). I assume that’s why the permissions are just as restricted as forpull_request
.