actions/setup-copilot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add step to warn about unnecessary write permissions

Browse Source 
Probes the github-token for write access to actions, checks, contents,
deployments, issues, packages, pages, pull-requests, security-events,
and statuses. Emits a visible warning if any write scopes are detected.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
Devraj Mehta
2026-03-14 10:01:21 -04:00
parent f070e091bc
commit 0d854367d9
2 changed files with 53 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -9,7 +9,7 @@ steps:
- uses: actions/setup-copilot@v0 - uses: actions/setup-copilot@v0
with: with:
version: "latest" # optional, defaults to "latest" version: "latest" # optional, defaults to "latest"
github-token: ${{ secrets.COPILOT_TOKEN }} # optional, defaults to github.token github-token: ${{ secrets.GITHUB_TOKEN }} # optional, defaults to github.token
- run: copilot --version - run: copilot --version
``` ```

52
action.yml
View File

@@ -34,6 +34,58 @@ runs:
shell: bash shell: bash
run: echo "${{ runner.tool_cache }}/copilot/bin" >> "$GITHUB_PATH" run: echo "${{ runner.tool_cache }}/copilot/bin" >> "$GITHUB_PATH"
- name: Check for unnecessary write permissions
shell: bash
env:
GH_TOKEN: ${{ inputs.github-token }}
run: |
API="$GITHUB_API_URL/repos/$GITHUB_REPOSITORY"
writes_found=()
# Probe write access by sending invalid requests to write endpoints.
# 422/409 = token has write permission (passed auth, failed validation)
# 403 = token does not have write permission
probe_write() {
local scope="$1" url="$2" method="${3:-POST}" body="${4:-\{\}}"
code=$(curl -s -o /dev/null -w "%{http_code}" \
-X "$method" \
-H "Authorization: bearer $GH_TOKEN" \
-H "Accept: application/vnd.github+json" \
"$url" -d "$body")
case "$code" in
2[0-9][0-9]|422|409) writes_found+=("$scope") ;;
esac
}
probe_write "actions" "$API/actions/workflows/0/dispatches" POST '{"ref":"__probe__"}'
probe_write "checks" "$API/check-runs" POST '{}'
probe_write "contents" "$API/contents/__probe__" PUT '{"message":"probe"}'
probe_write "deployments" "$API/deployments" POST '{}'
probe_write "issues" "$API/issues" POST '{}'
probe_write "packages" "$GITHUB_API_URL/user/packages/container/__nonexistent__/versions/0" DELETE ''
probe_write "pages" "$API/pages" POST '{}'
probe_write "pull-requests" "$API/pulls" POST '{}'
probe_write "statuses" "$API/statuses/$GITHUB_SHA" POST '{}'
if [ ${#writes_found[@]} -gt 0 ]; then
echo ""
echo "::warning::⚠️ The github-token passed to setup-copilot has write permissions: ${writes_found[*]}. Granting write permissions to the Copilot CLI in Actions workflows is a security risk. Recommend scoping your token with least-privilege permissions."
{
echo "### ⚠️ setup-copilot: Excessive Token Permissions"
echo ""
echo "The \`github-token\` input has **write** access to: \`${writes_found[*]}\`."
echo ""
echo "Giving write permissions to the Copilot CLI in Actions workflows is a security risk."
echo ""
echo "**Recommendation:** add a \`permissions\` block to your job:"
echo '```yaml'
echo "permissions:"
echo " contents: read"
echo '```'
echo "and add a separate job with write permissions for steps that need it."
} >> "$GITHUB_STEP_SUMMARY"
fi
- name: Verify installation - name: Verify installation
id: version id: version
shell: bash shell: bash