This week I’m bringing you a peek behind the scenes here in the GitHub community team, and a reminder to always thoroughly read the documentation when you’re changing something as important as permissions!
Here at GitHub we use GitHub to build GitHub. Each team has a repository and in that repo we store useful files and documentation, keep track of projects using project boards, and create issues to track what the team is working on. We also use Actions to automate a lot of this.
The GitHub org will soon be enforcing explicit permission definitions for the
GITHUB_TOKEN meaning that we needed to update our workflows in order for them to continue working. Since all of our workflows in the community repo only really check out the repo then create and close issues using templates I added the following to all our workflows and called it a day:
permissions: issues: write
Our workflows are scheduled, so it wasn’t until Monday morning, when I noticed that every single one of our workflows had failed over the weekend! After spending a good hour poring through our docs I found this line:
When the permissions key is used, all unspecified permissions are set to no access, with the exception of the
metadatascope, which always gets read access.
The fix for this was easy enough, once I understood that all our workflows needed the
contents permission in order to check out the repo:
permissions: contents: write issues: write
I hope this story helps anyone who might be implementing similar security policies and serves as a stark reminder to always read the docs before changing your important permissions!
The GitHub blog recently posted a great article on 10 Actions resources to bookmark. If you’re just getting started with Actions, then this is a great post to get an idea of what’s possible.
The GitHub Game Off is still on! If you’d like to take part, there are still 16 days left to submit your entry. If you want to take part but have never made a game before, there’re plenty of options listed for different languages, so pick the one you’re most comfortable with and get going! I can’t wait to see what you come up with!