Who can manually trigger a workflow using workflow_dispatch #26053
-
I’m using a workflow that is designed to be manually triggered only on My question is who is authorized to initiate a manually-triggered workflow like my case above? I assume it’s only people who have write access to the repo, but I couldn’t find any definitive answer by googling. Can somebody point me to a reference for this, or explain a definitive answer? thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments
-
Hey @itsayellow! Welcome to the community and thanks for your post.
Almost! There has to be an authorized token. Whether that’s an authorized PAT, or the We discuss this a bit, here: …and in more detail, here: Between these pages, you should have your answer, but please let us know if anything remains! |
Beta Was this translation helpful? Give feedback.
-
Thanks for the reply! I did indeed see those pages before. A personal access token makes sense to me, it’s basically a way for something else to act with my permissions. Does a GITHUB_TOKEN work the same way, with a maximum of my permissions? I think my confusion is in the fact that a GITHUB_TOKEN is generated automatically. I was a little unclear in exactly what manner that happens, and what permissions (i.e. on which user’s behalf) it operates. Is it equivalent to a personal access token of mine, if I am the one initiating the action? My ultimate question is, could somebody who doesn’t have access to a repo initiate a workflow action that needs a GITHUB_TOKEN and have it run and make changes to the repo? |
Beta Was this translation helpful? Give feedback.
-
No, the GITHUB_TOKEN does not have the full access. As you can see the introduction from the docs shared by @nethgato about the GITHUB_TOKEN, the permissions of GITHUB_TOKEN are limited to the repository that contains your workflow. The GITHUB_TOKEN is generated to authenticate on behalf of GitHub Actions, no matter who triggers the workflows, the permissions of the GITHUB_TOKEN is fixed. Normally, its permissions won’t be different according to different users who trigger the workflow.
To trigger a workflow in a repository, the user should be a collaborator with Write permission in the repository. Normally the external users can’t trigger workflows in the repository. |
Beta Was this translation helpful? Give feedback.
-
Great, ok I think that answers my main concern. Thanks! In general it would be nice to clarify this in the documentation, since GITHUB_TOKEN isn’t as easy to understand as a normal secret. At least to me. :slight_smile: |
Beta Was this translation helpful? Give feedback.
-
I agree. In addition, if you feel my above explanation is very helpful to you, maybe you can mark it as the solution of this topic, so that other users who have the similar questions can notice this when they are looking for an answer. |
Beta Was this translation helpful? Give feedback.
@itsayellow,
No, the GITHUB_TOKEN does not have the full access.
As you can see the introduction from the docs shared by @nethgato about the GITHUB_TOKEN, the permissions of GITHUB_TOKEN are limited to the repository that contains your workflow.
And even if in the workflow repository, the GITHUB_TOKEN also does not have full access, for example you can’t use the GITHUB_TOKEN to add, update or delete workflow files.
Many APIs related to workflows require the authentication token has the ‘workflow’ scope, but the GITHUB_TOKEN does not have this scope.
The GITHUB_TOKEN is generated to authenticate on behalf of GitHub …