actions/create-github-app-token
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: permissions (#168)

Browse Source 
- Load `app-permissions` from schema exported by `@octokit/openapi`
- Update documentation in README.md
- Implement the `permissions_*` inputs in the action code

---------

Co-authored-by: Parker Brown <17183625+parkerbxyz@users.noreply.github.com>
This commit is contained in:
Gregor Martynus
2025-03-27 12:00:54 -07:00
committed by GitHub
parent f577941506
commit 0e0aa99a86
21 changed files with 821 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

395
scripts/generated/app-permissions.json Normal file
View File

@@ -0,0 +1,395 @@
{
"title": "App Permissions",
"type": "object",
"description": "The permissions granted to the user access token.",
"properties": {
"actions": {
"type": "string",
"description": "The level of permission to grant the access token for GitHub Actions workflows, workflow runs, and artifacts.",
"enum": [
"read",
"write"
]
},
"administration": {
"type": "string",
"description": "The level of permission to grant the access token for repository creation, deletion, settings, teams, and collaborators creation.",
"enum": [
"read",
"write"
]
},
"checks": {
"type": "string",
"description": "The level of permission to grant the access token for checks on code.",
"enum": [
"read",
"write"
]
},
"codespaces": {
"type": "string",
"description": "The level of permission to grant the access token to create, edit, delete, and list Codespaces.",
"enum": [
"read",
"write"
]
},
"contents": {
"type": "string",
"description": "The level of permission to grant the access token for repository contents, commits, branches, downloads, releases, and merges.",
"enum": [
"read",
"write"
]
},
"dependabot_secrets": {
"type": "string",
"description": "The leve of permission to grant the access token to manage Dependabot secrets.",
"enum": [
"read",
"write"
]
},
"deployments": {
"type": "string",
"description": "The level of permission to grant the access token for deployments and deployment statuses.",
"enum": [
"read",
"write"
]
},
"environments": {
"type": "string",
"description": "The level of permission to grant the access token for managing repository environments.",
"enum": [
"read",
"write"
]
},
"issues": {
"type": "string",
"description": "The level of permission to grant the access token for issues and related comments, assignees, labels, and milestones.",
"enum": [
"read",
"write"
]
},
"metadata": {
"type": "string",
"description": "The level of permission to grant the access token to search repositories, list collaborators, and access repository metadata.",
"enum": [
"read",
"write"
]
},
"packages": {
"type": "string",
"description": "The level of permission to grant the access token for packages published to GitHub Packages.",
"enum": [
"read",
"write"
]
},
"pages": {
"type": "string",
"description": "The level of permission to grant the access token to retrieve Pages statuses, configuration, and builds, as well as create new builds.",
"enum": [
"read",
"write"
]
},
"pull_requests": {
"type": "string",
"description": "The level of permission to grant the access token for pull requests and related comments, assignees, labels, milestones, and merges.",
"enum": [
"read",
"write"
]
},
"repository_custom_properties": {
"type": "string",
"description": "The level of permission to grant the access token to view and edit custom properties for a repository, when allowed by the property.",
"enum": [
"read",
"write"
]
},
"repository_hooks": {
"type": "string",
"description": "The level of permission to grant the access token to manage the post-receive hooks for a repository.",
"enum": [
"read",
"write"
]
},
"repository_projects": {
"type": "string",
"description": "The level of permission to grant the access token to manage repository projects, columns, and cards.",
"enum": [
"read",
"write",
"admin"
]
},
"secret_scanning_alerts": {
"type": "string",
"description": "The level of permission to grant the access token to view and manage secret scanning alerts.",
"enum": [
"read",
"write"
]
},
"secrets": {
"type": "string",
"description": "The level of permission to grant the access token to manage repository secrets.",
"enum": [
"read",
"write"
]
},
"security_events": {
"type": "string",
"description": "The level of permission to grant the access token to view and manage security events like code scanning alerts.",
"enum": [
"read",
"write"
]
},
"single_file": {
"type": "string",
"description": "The level of permission to grant the access token to manage just a single file.",
"enum": [
"read",
"write"
]
},
"statuses": {
"type": "string",
"description": "The level of permission to grant the access token for commit statuses.",
"enum": [
"read",
"write"
]
},
"vulnerability_alerts": {
"type": "string",
"description": "The level of permission to grant the access token to manage Dependabot alerts.",
"enum": [
"read",
"write"
]
},
"workflows": {
"type": "string",
"description": "The level of permission to grant the access token to update GitHub Actions workflow files.",
"enum": [
"write"
]
},
"members": {
"type": "string",
"description": "The level of permission to grant the access token for organization teams and members.",
"enum": [
"read",
"write"
]
},
"organization_administration": {
"type": "string",
"description": "The level of permission to grant the access token to manage access to an organization.",
"enum": [
"read",
"write"
]
},
"organization_custom_roles": {
"type": "string",
"description": "The level of permission to grant the access token for custom repository roles management.",
"enum": [
"read",
"write"
]
},
"organization_custom_org_roles": {
"type": "string",
"description": "The level of permission to grant the access token for custom organization roles management.",
"enum": [
"read",
"write"
]
},
"organization_custom_properties": {
"type": "string",
"description": "The level of permission to grant the access token for custom property management.",
"enum": [
"read",
"write",
"admin"
]
},
"organization_copilot_seat_management": {
"type": "string",
"description": "The level of permission to grant the access token for managing access to GitHub Copilot for members of an organization with a Copilot Business subscription. This property is in public preview and is subject to change.",
"enum": [
"write"
]
},
"organization_announcement_banners": {
"type": "string",
"description": "The level of permission to grant the access token to view and manage announcement banners for an organization.",
"enum": [
"read",
"write"
]
},
"organization_events": {
"type": "string",
"description": "The level of permission to grant the access token to view events triggered by an activity in an organization.",
"enum": [
"read"
]
},
"organization_hooks": {
"type": "string",
"description": "The level of permission to grant the access token to manage the post-receive hooks for an organization.",
"enum": [
"read",
"write"
]
},
"organization_personal_access_tokens": {
"type": "string",
"description": "The level of permission to grant the access token for viewing and managing fine-grained personal access token requests to an organization.",
"enum": [
"read",
"write"
]
},
"organization_personal_access_token_requests": {
"type": "string",
"description": "The level of permission to grant the access token for viewing and managing fine-grained personal access tokens that have been approved by an organization.",
"enum": [
"read",
"write"
]
},
"organization_plan": {
"type": "string",
"description": "The level of permission to grant the access token for viewing an organization's plan.",
"enum": [
"read"
]
},
"organization_projects": {
"type": "string",
"description": "The level of permission to grant the access token to manage organization projects and projects public preview (where available).",
"enum": [
"read",
"write",
"admin"
]
},
"organization_packages": {
"type": "string",
"description": "The level of permission to grant the access token for organization packages published to GitHub Packages.",
"enum": [
"read",
"write"
]
},
"organization_secrets": {
"type": "string",
"description": "The level of permission to grant the access token to manage organization secrets.",
"enum": [
"read",
"write"
]
},
"organization_self_hosted_runners": {
"type": "string",
"description": "The level of permission to grant the access token to view and manage GitHub Actions self-hosted runners available to an organization.",
"enum": [
"read",
"write"
]
},
"organization_user_blocking": {
"type": "string",
"description": "The level of permission to grant the access token to view and manage users blocked by the organization.",
"enum": [
"read",
"write"
]
},
"team_discussions": {
"type": "string",
"description": "The level of permission to grant the access token to manage team discussions and related comments.",
"enum": [
"read",
"write"
]
},
"email_addresses": {
"type": "string",
"description": "The level of permission to grant the access token to manage the email addresses belonging to a user.",
"enum": [
"read",
"write"
]
},
"followers": {
"type": "string",
"description": "The level of permission to grant the access token to manage the followers belonging to a user.",
"enum": [
"read",
"write"
]
},
"git_ssh_keys": {
"type": "string",
"description": "The level of permission to grant the access token to manage git SSH keys.",
"enum": [
"read",
"write"
]
},
"gpg_keys": {
"type": "string",
"description": "The level of permission to grant the access token to view and manage GPG keys belonging to a user.",
"enum": [
"read",
"write"
]
},
"interaction_limits": {
"type": "string",
"description": "The level of permission to grant the access token to view and manage interaction limits on a repository.",
"enum": [
"read",
"write"
]
},
"profile": {
"type": "string",
"description": "The level of permission to grant the access token to manage the profile settings belonging to a user.",
"enum": [
"write"
]
},
"starring": {
"type": "string",
"description": "The level of permission to grant the access token to list and manage repositories a user is starring.",
"enum": [
"read",
"write"
]
}
},
"example": {
"contents": "read",
"issues": "read",
"deployments": "write",
"single_file": "read"
}
}

42
scripts/update-permission-inputs.js Normal file
View File

@@ -0,0 +1,42 @@
import { readFile, writeFile } from "node:fs/promises";
import OctokitOpenapi from "@octokit/openapi";
const appPermissionsSchema =
OctokitOpenapi.schemas["api.github.com"].components.schemas[
"app-permissions"
];
await writeFile(
`scripts/generated/app-permissions.json`,
JSON.stringify(appPermissionsSchema, null, 2) + "\n",
"utf8"
);
const permissionsInputs = Object.entries(appPermissionsSchema.properties)
.sort((a, b) => a[0].localeCompare(b[0]))
.reduce((result, [key, value]) => {
const formatter = new Intl.ListFormat("en", {
style: "long",
type: "disjunction",
});
const permissionAccessValues = formatter.format(
value.enum.map((p) => `'${p}'`)
);
const description = `${value.description} Can be set to ${permissionAccessValues}.`;
return `${result}
permission-${key.replace(/_/g, "-")}:
description: "${description}"`;
}, "");
const actionsYamlContent = await readFile("action.yml", "utf8");
// In the action.yml file, replace the content between the `<START GENERATED PERMISSIONS INPUTS>` and `<END GENERATED PERMISSIONS INPUTS>` comments with the new content
const updatedActionsYamlContent = actionsYamlContent.replace(
/(?<=# <START GENERATED PERMISSIONS INPUTS>)(.|\n)*(?=# <END GENERATED PERMISSIONS INPUTS>)/,
permissionsInputs + "\n "
);
await writeFile("action.yml", updatedActionsYamlContent, "utf8");
console.log("Updated action.yml with new permissions inputs");