GITHUB_TOKEN `checks` scope should be read/write for PRs from forks

I realize there are numerous threads open where people are complaining and struggling with the limited permissions granted to PRs from forked repo. I definitely understand there are serious security implications, such as leaking secrets, etc.

What I’m asking here is very narrow: can someone explain why the GITHUB_TOKEN given to a forked repo’s PR can’t have read/write privileges for JUST the checks scope?

As far as I can tell, the only thing a bad actor could do with that scope is fail his own PR build, or leave an annotation. I’m really struggling to understand why this scope needed to be denied from forks.

What seems so tantalizing is that if this ONE scope were authorized from forks than a ton of basic CI use cases open up for github actions.

I was so close to getting 100% on the GitHub action train – there’s so much to love about them. But for now, if someone asked me about them, I’d tell them what I wish I had known before investing so much time learning them: “they’re great, but you can’t use them for stuff like linting and testing PRs from a forked repo.” …which eliminates the main workflows of massive swaths of the open source community.

Or am I misunderstanding something basic? Is there a key security issue with the checks scope that I’m not thinking of? Any information would be greatly appreciated.

1 Like

@jaredh159
Sorry for letting you suffering from this limitation. I have found some tickets in our internal channel discussing lift restriction of GITHUB_TOKEN permission accessed by forked repo. I would encourage you submit a feature request in the Feedback form for GitHub Actions. This will help increase the priority of this requirement. Thank you for your understanding.

@yanjingzhu thanks for your response, I left some feedback as requested.

So, by your response am I to understand that there is no case to be made (as far as you know) for denying checks:write to forked repos?

Write permission on checks could create/update check runs and check suites. But the write permission for the Checks API is only available to GitHub Apps.
Could you please give me a scenario which needs write permission to checks of GITHUB_TOKEN ?

Sure, it’s super easy to give a scenario. How about a github action that runs a code linting tool. Errors the tool finds should leave annotations as part of creating a failed check run, or create a passing check run if no lint violations are found.

Oh, I see. But I am afraid that your requirement could not be reached currently. And to update check run result , you need to use GitHub App , GITHUB_TOKEN and personal access token could not work.
If you don’t mind failing the workflow run directly without using API, you could run exit 1 .

- run: |
       echo Hello, world!
       echo "::error::My error message"
       exit 1

Also, you could share your scenario in the Feedback ticket.