Merge pull request #9 from actions/devm33/check-write

Add step to warn about unnecessary write permissions

.github/workflows/release.yml

@@ -0,0 +1,73 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      bump:
+        description: Version bump type
+        required: true
+        default: patch
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+
+jobs:
+  release:
+    runs-on: ubuntu-slim
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Determine new version
+        id: version
+        run: |
+          # Get the latest semver tag
+          LATEST_TAG=$(git tag --list 'v[0-9]*.[0-9]*.[0-9]*' --sort=-v:refname | head -n1)
+          if [ -z "$LATEST_TAG" ]; then
+            echo "No existing version tag found"
+            exit 1
+          fi
+
+          # Strip leading 'v' and split into components
+          VERSION="${LATEST_TAG#v}"
+          IFS='.' read -r MAJOR MINOR PATCH <<< "$VERSION"
+
+          case "${{ inputs.bump }}" in
+            major)
+              MAJOR=$((MAJOR + 1))
+              MINOR=0
+              PATCH=0
+              ;;
+            minor)
+              MINOR=$((MINOR + 1))
+              PATCH=0
+              ;;
+            patch)
+              PATCH=$((PATCH + 1))
+              ;;
+          esac
+
+          NEW_VERSION="v${MAJOR}.${MINOR}.${PATCH}"
+          echo "previous=$LATEST_TAG" >> "$GITHUB_OUTPUT"
+          echo "new=$NEW_VERSION" >> "$GITHUB_OUTPUT"
+          echo "major=v${MAJOR}" >> "$GITHUB_OUTPUT"
+          echo "Bumping $LATEST_TAG -> $NEW_VERSION"
+
+      - name: Create GitHub release
+        run: |
+          gh release create "${{ steps.version.outputs.new }}" \
+            --generate-notes \
+            --notes-start-tag "${{ steps.version.outputs.previous }}"
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Update major version tag
+        run: |
+          git fetch origin tag "${{ steps.version.outputs.new }}"
+          git tag -f "${{ steps.version.outputs.major }}" "${{ steps.version.outputs.new }}"
+          git push -f origin "${{ steps.version.outputs.major }}"

README.md

@@ -6,10 +6,10 @@ A GitHub Action to install the [GitHub Copilot CLI](https://github.com/github/co
 
 ```yaml
 steps:
-  - uses: actions/setup-copilot@v1
+  - uses: actions/setup-copilot@v0
     with:
       version: "latest" # optional, defaults to "latest"
-      github-token: ${{ secrets.COPILOT_TOKEN }} # optional, defaults to github.token
+      github-token: ${{ secrets.GITHUB_TOKEN }} # optional, defaults to github.token
   - run: copilot --version
 ```
 
@@ -31,13 +31,13 @@ steps:
 ### Install latest version
 
 ```yaml
-- uses: actions/setup-copilot@v1
+- uses: actions/setup-copilot@v0
 ```
 
 ### Install a specific version
 
 ```yaml
-- uses: actions/setup-copilot@v1
+- uses: actions/setup-copilot@v0
   with:
     version: "1.2.3"
 ```
@@ -45,7 +45,7 @@ steps:
 ### Use with a custom token
 
 ```yaml
-- uses: actions/setup-copilot@v1
+- uses: actions/setup-copilot@v0
   with:
     github-token: ${{ secrets.GH_TOKEN }}
 ```

action.yml

@@ -27,14 +27,65 @@ runs:
       env:
         VERSION: ${{ inputs.version }}
         PREFIX: ${{ runner.tool_cache }}/copilot
-      run: curl -fsSL https://gh.io/copilot-install | bash
-      env:
         GITHUB_TOKEN: ${{ inputs.github-token }}
+      run: curl -fsSL https://gh.io/copilot-install | bash
 
     - name: Add to PATH
       shell: bash
       run: echo "${{ runner.tool_cache }}/copilot/bin" >> "$GITHUB_PATH"
 
+    - name: Check for unnecessary write permissions
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+      run: |
+        API="$GITHUB_API_URL/repos/$GITHUB_REPOSITORY"
+        writes_found=()
+
+        # Probe write access by sending invalid requests to write endpoints.
+        # 422/409 = token has write permission (passed auth, failed validation)
+        # 403     = token does not have write permission
+        probe_write() {
+          local scope="$1" url="$2" method="${3:-POST}" body="${4:-\{\}}"
+          code=$(curl -s -o /dev/null -w "%{http_code}" \
+            -X "$method" \
+            -H "Authorization: bearer $GH_TOKEN" \
+            -H "Accept: application/vnd.github+json" \
+            "$url" -d "$body")
+          case "$code" in
+            2[0-9][0-9]|422|409) writes_found+=("$scope") ;;
+          esac
+        }
+
+        probe_write "actions"         "$API/actions/workflows/0/dispatches" POST '{"ref":"__probe__"}'
+        probe_write "checks"          "$API/check-runs"                     POST '{}'
+        probe_write "contents"        "$API/contents/__probe__"             PUT  '{"message":"probe"}'
+        probe_write "deployments"     "$API/deployments"                    POST '{}'
+        probe_write "issues"          "$API/issues"                         POST '{}'
+        probe_write "packages"        "$GITHUB_API_URL/user/packages/container/__nonexistent__/versions/0" DELETE ''
+        probe_write "pages"           "$API/pages"                          POST '{}'
+        probe_write "pull-requests"   "$API/pulls"                          POST '{}'
+        probe_write "statuses"        "$API/statuses/$GITHUB_SHA"           POST '{}'
+
+        if [ ${#writes_found[@]} -gt 0 ]; then
+          echo ""
+          echo "::warning::⚠️  The github-token passed to setup-copilot has write permissions: ${writes_found[*]}. Granting write permissions to the Copilot CLI in Actions workflows is a security risk. Recommend scoping your token with least-privilege permissions."
+          {
+            echo "### ⚠️ setup-copilot: Excessive Token Permissions"
+            echo ""
+            echo "The \`github-token\` input has **write** access to: \`${writes_found[*]}\`."
+            echo ""
+            echo "Giving write permissions to the Copilot CLI in Actions workflows is a security risk."
+            echo ""
+            echo "**Recommendation:** add a \`permissions\` block to your job:"
+            echo '```yaml'
+            echo "permissions:"
+            echo "  contents: read"
+            echo '```'
+            echo "and add a separate job with write permissions for steps that need it."
+          } >> "$GITHUB_STEP_SUMMARY"
+        fi
+
     - name: Verify installation
       id: version
       shell: bash