Merge pull request #9 from actions/devm33/check-write

Add step to warn about unnecessary write permissions
2026-03-16 23:14:51 -04:00 · 2026-03-16 23:14:29 -04:00 · 2026-03-10 23:21:50 -04:00 · 2026-03-10 22:00:28 -04:00
3 changed files with 54 additions and 1 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -68,5 +68,6 @@ jobs:

      - name: Update major version tag
        run: |
+          git fetch origin tag "${{ steps.version.outputs.new }}"
          git tag -f "${{ steps.version.outputs.major }}" "${{ steps.version.outputs.new }}"
          git push -f origin "${{ steps.version.outputs.major }}"
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ steps:
  - uses: actions/setup-copilot@v0
    with:
      version: "latest" # optional, defaults to "latest"
-      github-token: ${{ secrets.COPILOT_TOKEN }} # optional, defaults to github.token
+      github-token: ${{ secrets.GITHUB_TOKEN }} # optional, defaults to github.token
  - run: copilot --version
 ```

--- a/action.yml
+++ b/action.yml
@@ -34,6 +34,58 @@ runs:
      shell: bash
      run: echo "${{ runner.tool_cache }}/copilot/bin" >> "$GITHUB_PATH"

+    - name: Check for unnecessary write permissions
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+      run: |
+        API="$GITHUB_API_URL/repos/$GITHUB_REPOSITORY"
+        writes_found=()
+
+        # Probe write access by sending invalid requests to write endpoints.
+        # 422/409 = token has write permission (passed auth, failed validation)
+        # 403     = token does not have write permission
+        probe_write() {
+          local scope="$1" url="$2" method="${3:-POST}" body="${4:-\{\}}"
+          code=$(curl -s -o /dev/null -w "%{http_code}" \
+            -X "$method" \
+            -H "Authorization: bearer $GH_TOKEN" \
+            -H "Accept: application/vnd.github+json" \
+            "$url" -d "$body")
+          case "$code" in
+            2[0-9][0-9]|422|409) writes_found+=("$scope") ;;
+          esac
+        }
+
+        probe_write "actions"         "$API/actions/workflows/0/dispatches" POST '{"ref":"__probe__"}'
+        probe_write "checks"          "$API/check-runs"                     POST '{}'
+        probe_write "contents"        "$API/contents/__probe__"             PUT  '{"message":"probe"}'
+        probe_write "deployments"     "$API/deployments"                    POST '{}'
+        probe_write "issues"          "$API/issues"                         POST '{}'
+        probe_write "packages"        "$GITHUB_API_URL/user/packages/container/__nonexistent__/versions/0" DELETE ''
+        probe_write "pages"           "$API/pages"                          POST '{}'
+        probe_write "pull-requests"   "$API/pulls"                          POST '{}'
+        probe_write "statuses"        "$API/statuses/$GITHUB_SHA"           POST '{}'
+
+        if [ ${#writes_found[@]} -gt 0 ]; then
+          echo ""
+          echo "::warning::⚠️  The github-token passed to setup-copilot has write permissions: ${writes_found[*]}. Granting write permissions to the Copilot CLI in Actions workflows is a security risk. Recommend scoping your token with least-privilege permissions."
+          {
+            echo "### ⚠️ setup-copilot: Excessive Token Permissions"
+            echo ""
+            echo "The \`github-token\` input has **write** access to: \`${writes_found[*]}\`."
+            echo ""
+            echo "Giving write permissions to the Copilot CLI in Actions workflows is a security risk."
+            echo ""
+            echo "**Recommendation:** add a \`permissions\` block to your job:"
+            echo '```yaml'
+            echo "permissions:"
+            echo "  contents: read"
+            echo '```'
+            echo "and add a separate job with write permissions for steps that need it."
+          } >> "$GITHUB_STEP_SUMMARY"
+        fi
+
    - name: Verify installation
      id: version
      shell: bash
Author	SHA1	Message	Date
Devraj Mehta	01f2415f3d	Merge pull request #9 from actions/devm33/check-write Some checks failed Test / test (ubuntu-24.04-arm) (push) Has been cancelled Details Test / test (ubuntu-latest) (push) Has been cancelled Details Add step to warn about unnecessary write permissions	2026-03-16 23:14:51 -04:00
Devraj Mehta	0d854367d9	Add step to warn about unnecessary write permissions Probes the github-token for write access to actions, checks, contents, deployments, issues, packages, pages, pull-requests, security-events, and statuses. Emits a visible warning if any write scopes are detected. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-03-16 23:14:29 -04:00
Devraj Mehta	f070e091bc	Merge pull request #8 from actions/fix-release-tag-fetch Fix: fetch new tag before updating major version tag	2026-03-10 23:21:50 -04:00
Devraj Mehta	bf52dcb0f1	Fix: fetch new tag before updating major version tag gh release create creates the tag on the remote, so we need to fetch it before we can reference it locally for the major version tag update. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-03-10 22:00:28 -04:00