Add a requirement for git repo Settings's Workflow Permissions to the document #179
Comments
|
Might also be useful to mention the specific permissions needed for those that can't or do not wish to grant full workflow permissions. After some experimentation, the following permissions seemed to work: |
|
@hcg1023 so you have encountered a problem there because you were using a custom GitHub token with some missing scopes that are automatically included in the default token? @smiley-uriux interesting, TIL about I would be very much open for accepting PR that would be adding some kind of Security section to the docs. |
|
@Andarist I'm using secrets.GITHUB_TOKEN, which should not be a custom GITHUB_TOKEN |
|
Ah - I see. I didn't realize that the permissions of this default token could have been changed like this. If you find a good place in the README to add this kind of information I would gladly merge a PR with such an addition |
|
Tried this out:
name: Release Package
on:
push:
branches:
- master
concurrency: ${{ github.workflow }}-${{ github.ref }}
jobs:
release:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
packages: write
pull-requests: write
issues: read
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0
- run: git fetch --no-tags --prune --depth=5 origin master
- name: asdf setup
uses: asdf-vm/actions/[email protected]
- name: asdf install
run: |
set -x
asdf plugin add nodejs
asdf install
#
# This step configures NPM
#
# - here we configure the registry for publishing
- name: Setup publishing
uses: actions/setup-node@v2
with:
registry-url: "https://npm.pkg.github.com"
#
# This step caches installed things
#
- name: Cache npm modules
uses: actions/cache@v2
env:
cache-name: cache-npm-modules
with:
path: ~/.npm
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ matrix.node-version }}-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-name }}-${{ matrix.node-version }}-
#
# Install things sensitive to the lockfile
#
- run: npm ci --ignore-scripts
#
#
#
- name: Create Release Pull Request or Publish to npm
id: changesets
uses: changesets/action@21240c3cd1d2efa2672d64e0235a03cf139b83e6
with:
# This expects you to have a script called release which does a build for your packages and calls changeset publish
publish: npm run release
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
# this is the secret sauce for authenticating to our github npm registry
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Deploy 🚀
uses: JamesIves/[email protected]
if: steps.changesets.outputs.published == 'true'
with:
token: ${{ secrets.GIT_PUSH_TOKEN }}
branch: gh-pages # The branch the action should deploy to.
folder: docs # The folder the action should deploy.
|
|
So the reason it never runs the follow up workflow on master is because changesets makes a commit with a message containing I've experimented with this a lot yesterday, and as we merge the "Version Packages" pr, i remove the @Andarist we need a way to modify the commit message of the "Version Packages" pr to remove the |
I felt that adding a request for Workflow Permissions for Git Settings at the beginning of the document would have saved me a lot of trouble. It was my first time using Github Actions and Changesets and the constant error reporting was very annoying, The default permissions are read-only and do not allow the creation and approval of pull requests
However, you need to write and create permission to approve pull requests
The text was updated successfully, but these errors were encountered: