Recommendet GitHub Action to update wiki

Currently am I using Decathlon’s Wiki Page creator Action on a Repository in an organisation I participate in as an outside contributor.

The issue I face here is, that I can’t just use the ${{ secrets.GITHUB_TOKEN }} for the workflow for reasons I don’t quite understand (Something with SSO according to the Action’s readme)

The only solution for this is, if a owner/admin of the repo creates a PAT and sets it as a secret for me to integrate which I think is sub-optimal as it gives the risk of someone abusing that token in the future.

So I now essentially search for an Action (or set of actions) that would allow me the following things with just the GITHUB_TOKEN secret:

  • Checkout the repository using Checkout Action
  • Setup a temp Git repository based on the wiki
  • Collect changed files within a specific folder (wiki folder)
    • Exclude specific files I define like f.e. the README.md file the folder contains
  • Push the changes to the wiki, updating it.

So essentially what the wiki creator action does, but using the GITHUB_TOKEN instead.
Again, the main reason why I want to use the token and not a generated PAT from an admin/owner is general security as I’m the main person maintaining the wiki right now and suggested the owners to include a wiki-action for more open/collaborative wiki contributions.

@andre601,

The permissions of the GITHUB_TOKEN are limited to the repository that contains your workflow.

If you want to checkout, update and push Wiki from other repositories, you need to ask the owners or administrators to create a personal access token (PAT) with ‘repo’ scope.

The only solution for this is, if a owner/admin of the repo creates a PAT and sets it as a secret for me to integrate which I think is sub-optimal as it gives the risk of someone abusing that token in the future.

If the GITHUB_TOKEN also has the ‘repo’ scope or more other scopes, the risk may be more higher. Because,

With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.

This means that:

  • When you (owner or administrator) add a PAT as a secret in the repository or on the organization, if an outside user triggers a workflow from a forked repository, this workflow run can’t use this PAT. So the outside user can’t abuse this PAT.

  • The workflow triggered from the forked repository can use the GITHUB_TOKEN but only has the ‘read’ access (see here).
    If the GITHUB_TOKEN has more scopes, there is an obvious risk that the outside users may abuse the GITHUB_TOKEN.

This… doesn’t answer my question in any way whatsoever.

I am well aware of what the GITHUB_TOKEN can and cannot do and never asked about a clarification on this.
I simply asked about a possible replacement for the action I use right now, as this one only works with a PAT and not the token for the action itself.

I never mentioned anything about a fork or similar. I said it myself that I am an outside contributor to the repository in question (So I do have push access).

Everything I want is a working action to update a wiki on a repository without the need of having a PAT created, because the action doesn’t accept the normal GitHub token.
And according to some can I use it to push changes to the wiki as the scope also includes it.