Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve token-id permission options #26481

Closed
1 task done
rickstaa opened this issue Jul 2, 2023 · 15 comments
Closed
1 task done

Improve token-id permission options #26481

rickstaa opened this issue Jul 2, 2023 · 15 comments
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team needs SME This proposal needs review from a subject matter expert stale There is no recent activity on this issue or pull request waiting for review Issue/PR is waiting for a writer's review

Comments

@rickstaa
Copy link

rickstaa commented Jul 2, 2023
edited
Loading

Code of Conduct

What article on docs.github.com is affected?

The options that can be used for the token-id permission are not documented. The documentation states that this key can take on the following values:

  • write: Allows a JWT token to be requested from GitHub's OIDC provider and (temporarily) written to the GitHub backend.
  • read: This option is unclear and looks deprecated.
  • none: Functions similarly to the (deprecated) read option.

However, when setting the token-id to read, a github action fails with an Unexpected value 'read' error. When the write or none options are used, the workflow has no error. It, therefore, looks as if:

  1. The read option was deprecated, but the documentation is not yet updated.
  2. The github action runner has a bug.

Since I don't know which of these two is correct, I did not yet create a PR to fix the documentation but decided to wait for the @github team to clarify this.

How to reproduce

To see this problem in action, go to this example repository and check the latest action runs:

What part(s) of the article would you like updated?

  1. The options given for the id-token key in https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#overview should be updated from:
permissions:
  actions: read|write|none
  checks: read|write|none
  contents: read|write|none
  deployments: read|write|none
  id-token: read|write|none
  issues: read|write|none
  discussions: read|write|none
  packages: read|write|none
  pages: read|write|none
  pull-requests: read|write|none
  repository-projects: read|write|none
  security-events: read|write|none
  statuses: read|write|none

to

permissions:
  actions: read|write|none
  checks: read|write|none
  contents: read|write|none
  deployments: read|write|none
  id-token: write|none
  issues: read|write|none
  discussions: read|write|none
  packages: read|write|none
  pages: read|write|none
  pull-requests: read|write|none
  repository-projects: read|write|none
  security-events: read|write|none
  statuses: read|write|none
  1. The read option should also be removed from https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings.

Additional information

This issue is related but slightly different than #25952.
@rickstaa rickstaa added the content This issue or pull request belongs to the Docs Content team label Jul 2, 2023
@welcome
Copy link

welcome bot commented Jul 2, 2023

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

@rickstaa rickstaa mentioned this issue Jul 2, 2023
Closed
1 task
@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Jul 2, 2023
This was referenced Jul 2, 2023
Closed
Merged
rickstaa added a commit to anuraghazra/github-readme-stats that referenced this issue Jul 2, 2023
@rickstaa
ci: fix id-token 'read' bug
8d2da8f 
This commit fixes a bug that is present when the `read` option is used
for the `id-token` permission (see github/docs#26481).
rickstaa added a commit to anuraghazra/github-readme-stats that referenced this issue Jul 2, 2023
@rickstaa
ci: fix id-token 'read' bug
2143e9d 
This commit fixes a bug that is present when the `read` option is used
for the `id-token` permission (see github/docs#26481).
@rickstaa rickstaa mentioned this issue Jul 2, 2023
Merged
qwerty541 pushed a commit to anuraghazra/github-readme-stats that referenced this issue Jul 2, 2023
@rickstaa
ci: fix id-token 'read' bug (#2904)
de4efa9 
This commit fixes a bug that is present when the `read` option is used
for the `id-token` permission (see github/docs#26481).
@cmwilson21 cmwilson21 added actions This issue or pull request should be reviewed by the docs actions team waiting for review Issue/PR is waiting for a writer's review and removed triage Do not begin working on this issue until triaged by the team labels Jul 3, 2023
@cmwilson21
Copy link
Contributor

@rickstaa Thanks so much for opening an issue! I'll triage this for the team to take a look 👀

And welcome to the community! 🎉

While this is awaiting review, help wanted section if you are looking for other ways to contribute. ✨

@cmwilson21
Copy link
Contributor

@rickstaa Also, if this is blocking you, please reach out to our awesome support team for additional help.

And thanks again for the issue and for so clearly defining your problem 💖

@rickstaa
Copy link
Author

rickstaa commented Jul 3, 2023

@cmwilson21, thanks for your quick response. Take your time; it's not blocking since people can set token-id to none as a workaround 👍🏻.

@evankanderson
Copy link

FWIW, I had the same question today. I'm assuming the write value was chosen because it allows requesting a token which can be used to authenticate to other services (and possibly call arbitrary protected methods), but there doesn't seem to be a clear place that explains what this permission is.

J00MZ pushed a commit to J00MZ/github-readme-stats that referenced this issue Jul 23, 2023
@rickstaa @J00MZ
ci: fix id-token 'read' bug (anuraghazra#2904)
64557ff 
This commit fixes a bug that is present when the `read` option is used
for the `id-token` permission (see github/docs#26481).
tobim added a commit to tenzir/tenzir that referenced this issue Sep 12, 2023
@tobim
Work around broken GH permissions setting
6e151fc 
The `id-token` permission does actually not accept the value `read`.
See github/docs#26481.
@tobim tobim mentioned this issue Sep 12, 2023
Merged
@Codeup357

This comment was marked as spam.

Sign in to view
tobim added a commit to tenzir/tenzir that referenced this issue Sep 13, 2023
@tobim
Work around broken GH permissions setting
9d76161 
The `id-token` permission does actually not accept the value `read`.
See github/docs#26481.
tobim added a commit to tenzir/tenzir that referenced this issue Sep 13, 2023
@tobim
Work around broken GH permissions setting
a0b3353 
The `id-token` permission does actually not accept the value `read`.
See github/docs#26481.
tobim added a commit to tenzir/tenzir that referenced this issue Sep 14, 2023
@tobim
Fix and improve the "Update SBOM" GHA Workflow (#3506)
3c41962 
The `id-token` permission does actually not accept the value `read`.
See github/docs#26481.
devantler pushed a commit to devantler/github-readme-stats that referenced this issue Sep 24, 2023
@rickstaa @devantler
ci: fix id-token 'read' bug (anuraghazra#2904)
87b5941 
This commit fixes a bug that is present when the `read` option is used
for the `id-token` permission (see github/docs#26481).
@Adeyo9670

This comment was marked as spam.

Sign in to view
@Adeyo9670

This comment was marked as spam.

Sign in to view
@felicitymay felicitymay added the needs SME This proposal needs review from a subject matter expert label Oct 10, 2023
@github-actions
Copy link
Contributor

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

@faubion-hbo
Copy link
Contributor

faubion-hbo commented Nov 17, 2023
edited
Loading

there is also a reference to seeing id-token to read under this heading: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token (as value for "Maximum access for
pull requests from public forked repositories")

@Qerenfil

This comment was marked as spam.

Sign in to view
1 similar comment
@Qerenfil

This comment was marked as spam.

Sign in to view
@umi1299 umi1299 mentioned this issue Nov 20, 2023
Merged
@kylejwatson kylejwatson mentioned this issue Dec 13, 2023
Merged
8 tasks
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 3, 2024

This is a gentle bump for the docs team that this issue is waiting for technical review.

@github-actions github-actions bot added the SME stale The request for an SME has staled label Jan 3, 2024
setdebarr pushed a commit to setdebarr/github-readme-stats that referenced this issue Jan 12, 2024
@rickstaa @setdebarr
ci: fix id-token 'read' bug (anuraghazra#2904)
b63c74b 
This commit fixes a bug that is present when the `read` option is used
for the `id-token` permission (see github/docs#26481).
@github-actions github-actions bot added stale There is no recent activity on this issue or pull request and removed SME stale The request for an SME has staled labels Mar 4, 2024
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Mar 12, 2024
@simonw
Copy link
Contributor

simonw commented Apr 1, 2024

This is still incredibly confusing.

This was referenced Apr 1, 2024
Open
Closed
@janbrasna
Copy link
Contributor

Super confusing;)

@rickstaa To quote from another thread:

Thank you again for your patience while our Actions SME team reviewed. They wanted to ensure you had a chance to view this portion of the documentation regarding permissioning, and wanted to offer some additional context -

For reusable workflows outside the org and also for pull requests from public forked repos , default value issued to id-token is "read" to be safe and restrictive. Users could change it to "write" if they want to explicitly grant permissions for the workflow to request an OIDC JWT.

Does this help clarify some of the confusion regarding id-token: read/write/none?

Originally posted by @nguyenalex836 in #32320 (comment)

So for me that means, that the id-token can in some scenarios be "read" by default, but can't be explicitly set to that value by the action author(?).

(But with completely basic docs on what the id-token values really mean missing, I can't really make the mental model of what "read" and "to be safe and restrictive" really means in the context, how that differs from "none", probably without seeing some internals of how that is being used in the runners I won't be able to wrap my head around how that works and unfortunately just keep cargo-culting their use as directed by the actions' authors;)…)

@janbrasna janbrasna mentioned this issue Jul 14, 2024
Closed
1 task
@janbrasna janbrasna mentioned this issue Aug 14, 2024
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
actions This issue or pull request should be reviewed by the docs actions team content This issue or pull request belongs to the Docs Content team needs SME This proposal needs review from a subject matter expert stale There is no recent activity on this issue or pull request waiting for review Issue/PR is waiting for a writer's review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
12 participants
@simonw @janbrasna @felicitymay @evankanderson @rickstaa @faubion-hbo @cmwilson21 @Adeyo9670 @Codeup357 @Qerenfil and others