Who has permission to workflow_dispatch

I couldn’t find anything in the docs about this.

When adding a workflow that is triggered on workflow_dispatch who has permissions to trigger that workflow for any given repo and is there a way to custom that permission?

1 Like

I believe anyone with collaborator or greater can do it, however, you can also add an if statement to check who the github.actor is.

Will add more detail shortly, on mobile right now.

1 Like

Hi @lpoulter,

The use should have write access to the repo, eg: collaborators, any organization people/team member who is given write access.

Github action event can be triggered via rest api, so if you create a personal access token with repo scope, anyone has the token can trigger the workflow. Please check the doc here for more details.

Thanks

1 Like

You can check who is triggering the workflow:
if: github.actor == 'lpoulter' || github.actor == 'kingthorin'
or
if: contains('["kingthorin","lpoulter"]', github.actor)

Example here: https://github.com/OWASP/www-project-web-security-testing-guide/blob/53d24199a86ef59888ad8b91d8a173468d862753/.github/workflows/pr_comment.yml#L10
It’s slightly different, it runs for anyone other than the actors we check, but same basic idea. (!= vs ==.)

Sadly there isn’t (currently) a way to check if your team or a specific role contains the github.actor. I’ve submitted an enhancement request that they add something like @organization/some-team.contains(github.actor). Just as I’m writing this reply it occurs to me that something like github.actor.role == 'Maintainer' might also be handy.

Edit: There’s also some more details from GitHub staff here: Who can manually trigger a workflow using workflow_dispatch :

To trigger a workflow in a repository, the user should be a collaborator with Write permission in the repository. Normally the external users can’t trigger workflows in the repository.
If the external users use a pull request to trigger workflow from the forked repository, the GITHUB_TOKEN only has read permissions for some scope.

1 Like