I’m trying to figure out what is the bare minimum in terms access rights that GitHub action has to have when no extra parameters are passed in a workflow file.
- uses: actions/checkout@v2
Is that a GH token that allows to read and write to repository?
The github doc says “To use the GITHUB_TOKEN secret, you must reference it in your workflow file.”
[Authentication in a workflow - GitHub Docs]
So is that true or not?
I can see that in this case the GITHUB_TOKEN is not passed to an action in a workflow file. It is simply referenced in its source code: https://github.com/actions/checkout/blob/25a956c84d5dd820d28caab9f86b8d183aeeff3d/action.yml#L24
When I use third party software to support specific action is it possible and reasonable to make sure it does not have full read/write access to the repository?