Who can manually trigger a workflow using workflow_dispatch

I’m using a workflow that is designed to be manually triggered only on workflow_dispatch.
It also uses an action (mhausenblas/mkdocs-deploy-gh-pages) that I use a GITHUB_TOKEN with in order to publish to my gh-pages branch.

My question is who is authorized to initiate a manually-triggered workflow like my case above? I assume it’s only people who have write access to the repo, but I couldn’t find any definitive answer by googling.

Can somebody point me to a reference for this, or explain a definitive answer?

thanks!

1 Like

Hey @itsayellow! Welcome to the community and thanks for your post.

My question is who is authorized to initiate a manually-triggered workflow like my case above? I assume it’s only people who have write access to the repo, but I couldn’t find any definitive answer by googling.

Almost! There has to be an authorized token. Whether that’s an authorized PAT, or the GITHUB_TOKEN for the repository, an individual will have to have a token with appropriate privileges.

We discuss this a bit, here:

https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token

…and in more detail, here:

https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token

Between these pages, you should have your answer, but please let us know if anything remains!

Thanks for the reply! I did indeed see those pages before.

A personal access token makes sense to me, it’s basically a way for something else to act with my permissions.

Does a GITHUB_TOKEN work the same way, with a maximum of my permissions?

I think my confusion is in the fact that a GITHUB_TOKEN is generated automatically. I was a little unclear in exactly what manner that happens, and what permissions (i.e. on which user’s behalf) it operates. Is it equivalent to a personal access token of mine, if I am the one initiating the action?

My ultimate question is, could somebody who doesn’t have access to a repo initiate a workflow action that needs a GITHUB_TOKEN and have it run and make changes to the repo?

@itsayellow,

Does a GITHUB_TOKEN work the same way, with a maximum of my permissions?

No, the GITHUB_TOKEN does not have the full access.

As you can see the introduction from the docs shared by @nethgato about the GITHUB_TOKEN, the permissions of GITHUB_TOKEN are limited to the repository that contains your workflow.
And even if in the workflow repository, the GITHUB_TOKEN also does not have full access, for example you can’t use the GITHUB_TOKEN to add, update or delete workflow files.
Many APIs related to workflows require the authentication token has the ‘workflow’ scope, but the GITHUB_TOKEN does not have this scope.

The GITHUB_TOKEN is generated to authenticate on behalf of GitHub Actions, no matter who triggers the workflows, the permissions of the GITHUB_TOKEN is fixed. Normally, its permissions won’t be different according to different users who trigger the workflow.

My ultimate question is, could somebody who doesn’t have access to a repo initiate a workflow action that needs a GITHUB_TOKEN and have it run and make changes to the repo?

To trigger a workflow in a repository, the user should be a collaborator with Write permission in the repository. Normally the external users can’t trigger workflows in the repository.
If the external users use a pull request to trigger workflow from the forked repository, the GITHUB_TOKEN only has read permissions for some scope.

1 Like

Great, ok I think that answers my main concern. Thanks!

In general it would be nice to clarify this in the documentation, since GITHUB_TOKEN isn’t as easy to understand as a normal secret. At least to me. :slight_smile:

@itsayellow,

In general it would be nice to clarify this in the documentation

I agree.
You can try to share a feedback here to ask improving the documentation. That will allow you to directly interact with the appropriate engineering team, and make it more convenient for the engineering team to collect and categorize your suggestions.

In addition, if you feel my above explanation is very helpful to you, maybe you can mark it as the solution of this topic, so that other users who have the similar questions can notice this when they are looking for an answer.

1 Like