actions/setup-copilot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
setup-copilot/action.yml
Devraj Mehta 0d854367d9 Add step to warn about unnecessary write permissions 
Probes the github-token for write access to actions, checks, contents,
deployments, issues, packages, pages, pull-requests, security-events,
and statuses. Emits a visible warning if any write scopes are detected.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-16 23:14:29 -04:00

95 lines
3.8 KiB
YAML
Raw Permalink Blame History

name: "Setup Copilot CLI"
description: "Install the GitHub Copilot CLI for use in GitHub Actions workflows"
branding:
icon: "terminal"
color: "blue"
inputs:
version:
description: "Version of Copilot CLI to install (e.g. '1.0.0', 'latest', 'prerelease')"
required: false
default: "latest"
github-token:
description: "GitHub token to download Copilot CLI. Defaults to the workflow token."
required: false
default: ${{ github.token }}
outputs:
version:
description: "The version of Copilot CLI that was installed"
value: ${{ steps.version.outputs.version }}
runs:
using: "composite"
steps:
- name: Install Copilot CLI
shell: bash
env:
VERSION: ${{ inputs.version }}
PREFIX: ${{ runner.tool_cache }}/copilot
GITHUB_TOKEN: ${{ inputs.github-token }}
run: curl -fsSL https://gh.io/copilot-install | bash
- name: Add to PATH
shell: bash
run: echo "${{ runner.tool_cache }}/copilot/bin" >> "$GITHUB_PATH"
- name: Check for unnecessary write permissions
shell: bash
env:
GH_TOKEN: ${{ inputs.github-token }}
run: |
API="$GITHUB_API_URL/repos/$GITHUB_REPOSITORY"
writes_found=()
# Probe write access by sending invalid requests to write endpoints.
# 422/409 = token has write permission (passed auth, failed validation)
# 403 = token does not have write permission
probe_write() {
local scope="$1" url="$2" method="${3:-POST}" body="${4:-\{\}}"
code=$(curl -s -o /dev/null -w "%{http_code}" \
-X "$method" \
-H "Authorization: bearer $GH_TOKEN" \
-H "Accept: application/vnd.github+json" \
"$url" -d "$body")
case "$code" in
2[0-9][0-9]|422|409) writes_found+=("$scope") ;;
esac
}
probe_write "actions" "$API/actions/workflows/0/dispatches" POST '{"ref":"__probe__"}'
probe_write "checks" "$API/check-runs" POST '{}'
probe_write "contents" "$API/contents/__probe__" PUT '{"message":"probe"}'
probe_write "deployments" "$API/deployments" POST '{}'
probe_write "issues" "$API/issues" POST '{}'
probe_write "packages" "$GITHUB_API_URL/user/packages/container/__nonexistent__/versions/0" DELETE ''
probe_write "pages" "$API/pages" POST '{}'
probe_write "pull-requests" "$API/pulls" POST '{}'
probe_write "statuses" "$API/statuses/$GITHUB_SHA" POST '{}'
if [ ${#writes_found[@]} -gt 0 ]; then
echo ""
echo "::warning::⚠️ The github-token passed to setup-copilot has write permissions: ${writes_found[*]}. Granting write permissions to the Copilot CLI in Actions workflows is a security risk. Recommend scoping your token with least-privilege permissions."
{
echo "### ⚠️ setup-copilot: Excessive Token Permissions"
echo ""
echo "The \`github-token\` input has **write** access to: \`${writes_found[*]}\`."
echo ""
echo "Giving write permissions to the Copilot CLI in Actions workflows is a security risk."
echo ""
echo "**Recommendation:** add a \`permissions\` block to your job:"
echo '```yaml'
echo "permissions:"
echo " contents: read"
echo '```'
echo "and add a separate job with write permissions for steps that need it."
} >> "$GITHUB_STEP_SUMMARY"
fi
- name: Verify installation
id: version
shell: bash
run: |
copilot --version
echo "version=$(copilot --version | head -1)" >> "$GITHUB_OUTPUT"
Reference in New Issue View Git Blame Copy Permalink