From d598a6c1d8c9bb27b7ad2bbc06af4c311a48aaae Mon Sep 17 00:00:00 2001 From: Hirsch Singhal <1666363+hpsin@users.noreply.github.com> Date: Thu, 11 Jul 2024 06:40:44 -0700 Subject: [PATCH] Actions has permissions, not Scopes (#51614) --- .../actions/using-jobs/assigning-permissions-to-jobs.md | 2 +- .../actions/github-token-available-permissions.md | 8 ++++---- data/reusables/actions/github-token-permissions.md | 2 +- data/reusables/actions/github-token-scope-descriptions.md | 6 +++--- .../jobs/setting-permissions-specific-jobs-example.md | 2 +- data/reusables/actions/workflows/github-token-access.md | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/content/actions/using-jobs/assigning-permissions-to-jobs.md b/content/actions/using-jobs/assigning-permissions-to-jobs.md index ab194381344d..eb97fdffd1aa 100644 --- a/content/actions/using-jobs/assigning-permissions-to-jobs.md +++ b/content/actions/using-jobs/assigning-permissions-to-jobs.md @@ -14,7 +14,7 @@ versions: {% data reusables.actions.jobs.section-assigning-permissions-to-jobs %} -## Defining access for the `GITHUB_TOKEN` scopes +## Defining access for the `GITHUB_TOKEN` permissions {% data reusables.actions.github-token-available-permissions %} diff --git a/data/reusables/actions/github-token-available-permissions.md b/data/reusables/actions/github-token-available-permissions.md index 2bdfa7ad08c1..7f8d34008398 100644 --- a/data/reusables/actions/github-token-available-permissions.md +++ b/data/reusables/actions/github-token-available-permissions.md @@ -1,4 +1,4 @@ -You can define the access that the `GITHUB_TOKEN` will permit by specifying `read`, `write`, or `none` as the value of the available scopes within the `permissions` key. +You can define the access that the `GITHUB_TOKEN` will permit by specifying `read`, `write`, or `none` as the value of the available permissions within the `permissions` key. ```yaml permissions: @@ -17,9 +17,9 @@ permissions: statuses: read|write|none ``` -If you specify the access for any of these scopes, all of those that are not specified are set to `none`. +If you specify the access for any of these permissions, all of those that are not specified are set to `none`. -You can use the following syntax to define one of `read-all` or `write-all` access for all of the available scopes: +You can use the following syntax to define one of `read-all` or `write-all` access for all of the available permissions: ```yaml permissions: read-all @@ -29,7 +29,7 @@ permissions: read-all permissions: write-all ``` -You can use the following syntax to disable permissions for all of the available scopes: +You can use the following syntax to disable permissions for all of the available permissions: ```yaml permissions: {} diff --git a/data/reusables/actions/github-token-permissions.md b/data/reusables/actions/github-token-permissions.md index 90d5836ca2a8..11d2ada1c33d 100644 --- a/data/reusables/actions/github-token-permissions.md +++ b/data/reusables/actions/github-token-permissions.md @@ -1 +1 @@ -The `GITHUB_TOKEN` secret is set to an access token for the repository each time a job in a workflow begins. You should set the permissions for this access token in the workflow file to grant read access for the `contents` scope and write access for the `packages` scope. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)." +The `GITHUB_TOKEN` secret is set to an access token for the repository each time a job in a workflow begins. You should set the permissions for this access token in the workflow file to grant read access for the `contents` permission and write access for the `packages` permission. For more information, see "[AUTOTITLE](/actions/security-guides/automatic-token-authentication)." diff --git a/data/reusables/actions/github-token-scope-descriptions.md b/data/reusables/actions/github-token-scope-descriptions.md index f636e8feef8e..ca4c7bf06737 100644 --- a/data/reusables/actions/github-token-scope-descriptions.md +++ b/data/reusables/actions/github-token-scope-descriptions.md @@ -1,8 +1,8 @@ -For each of the available scopes, shown in the table below, you can assign one of the permissions: `read`, `write`, or `none`. If you specify the access for any of these scopes, all of those that are not specified are set to `none`. +For each of the available permissions, shown in the table below, you can assign one of the access levels: `read`, `write`, or `none`. `write` includes `read`. If you specify the access for any of these permissions, all of those that are not specified are set to `none`. -Available scopes and details of what each allows an action to do: +Available permissions and details of what each allows an action to do: -| Scope | Allows an action using `GITHUB_TOKEN` to | +| Permission | Allows an action using `GITHUB_TOKEN` to | | --- | --- | | `actions` | Work with GitHub Actions. For example, `actions: write` permits an action to cancel a workflow run. For more information, see "[AUTOTITLE](/rest/overview/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-actions)." | {% ifversion artifact-attestations %}| `attestations` | Work with artifact attestations. For example, `attestations: write` permits an action to generate an artifact attestation for a build. For more information, see "[AUTOTITLE](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds)" |{% endif %} diff --git a/data/reusables/actions/jobs/setting-permissions-specific-jobs-example.md b/data/reusables/actions/jobs/setting-permissions-specific-jobs-example.md index 34fa505d7e01..44e3ccd7c6a4 100644 --- a/data/reusables/actions/jobs/setting-permissions-specific-jobs-example.md +++ b/data/reusables/actions/jobs/setting-permissions-specific-jobs-example.md @@ -1,4 +1,4 @@ -This example shows permissions being set for the `GITHUB_TOKEN` that will only apply to the job named `stale`. Write access is granted for the `issues` and `pull-requests` scopes. All other scopes will have no access. +This example shows permissions being set for the `GITHUB_TOKEN` that will only apply to the job named `stale`. Write access is granted for the `issues` and `pull-requests` permissions. All other permissions will have no access. ```yaml jobs: diff --git a/data/reusables/actions/workflows/github-token-access.md b/data/reusables/actions/workflows/github-token-access.md index 33f06b8c95a1..e729af1ab102 100644 --- a/data/reusables/actions/workflows/github-token-access.md +++ b/data/reusables/actions/workflows/github-token-access.md @@ -1 +1 @@ -1. Under "Workflow permissions", choose whether you want the `GITHUB_TOKEN` to have read and write access for all scopes (the permissive setting), or just read access for the `contents` {% ifversion actions-default-workflow-permissions-restrictive %}and `packages` scopes{% else %}scope{% endif %} (the restricted setting). +1. Under "Workflow permissions", choose whether you want the `GITHUB_TOKEN` to have read and write access for all permissions (the permissive setting), or just read access for the `contents` {% ifversion actions-default-workflow-permissions-restrictive %}and `packages` permissions{% else %}permission{% endif %} (the restricted setting).