diff --git a/.github/workflows/_local_on_pr.yml b/.github/workflows/_local_on_pr.yml index dd085aa..10eadb3 100644 --- a/.github/workflows/_local_on_pr.yml +++ b/.github/workflows/_local_on_pr.yml @@ -38,6 +38,7 @@ jobs: setup-bazel-cache-tests: uses: ./.github/workflows/test-setup-bazel-cache.yml permissions: + actions: write contents: read unblock-user-namespace-for-linux-sandbox-tests: diff --git a/.github/workflows/test-setup-bazel-cache.yml b/.github/workflows/test-setup-bazel-cache.yml index 48c4303..40cefce 100644 --- a/.github/workflows/test-setup-bazel-cache.yml +++ b/.github/workflows/test-setup-bazel-cache.yml @@ -18,6 +18,7 @@ on: workflow_dispatch: permissions: + actions: write contents: read jobs: diff --git a/inter-repo-access/README.md b/inter-repo-access/README.md index 73eca16..2d19ab1 100644 --- a/inter-repo-access/README.md +++ b/inter-repo-access/README.md @@ -45,6 +45,10 @@ The rewrite host is derived from `github.server_url`, so the same behavior appli The action also exposes the selected token as `outputs.token` for cases where a token must be passed explicitly (for example, to a GitHub API call). +## Required permissions + +This action configures git URL rewrites and optionally calls `actions/create-github-app-token` (which uses a JWT, not `GITHUB_TOKEN`). It does not call the GitHub API with `GITHUB_TOKEN` and requires no permissions of its own. + ## Inputs - `github-app-client-id`: GitHub App client ID. When set, `github-app-private-key` is also required. diff --git a/setup-bazel-cache/README.md b/setup-bazel-cache/README.md index af340b8..d3e55c8 100644 --- a/setup-bazel-cache/README.md +++ b/setup-bazel-cache/README.md @@ -13,6 +13,17 @@ steps: Using `github.workflow` and `github.job` together gives each job its own cache automatically. Append a matrix identifier if the same job runs with different configurations that produce different build outputs. +## Required permissions + +The job using this action needs: + +```yaml +permissions: + actions: write +``` + +`actions: write` is required because deleting caches — which this action does to prune stale entries — is only available through the GitHub REST API. The internal runner token used for cache save and restore does not cover deletion; `GITHUB_TOKEN` with `actions: write` is the only supported mechanism for it. + ## The cache only gets written from `main` PR and branch builds read from the cache but never write to it. Only builds on `main` populate it. diff --git a/setup-qnx-sdp/README.md b/setup-qnx-sdp/README.md index 934a94d..ddf13e1 100644 --- a/setup-qnx-sdp/README.md +++ b/setup-qnx-sdp/README.md @@ -13,6 +13,10 @@ It performs the following: - Configures access to qnx.com via `.netrc`. - Automatically removes the QNX license file and the `.netrc` entry when the job finishes (post-action). +## Required permissions + +This action performs only local filesystem operations and does not call the GitHub API. No `GITHUB_TOKEN` permissions are required beyond whatever the rest of the job needs. + ## How it works When invoked, the action runs these steps in order: diff --git a/unblock-user-namespace-for-linux-sandbox/README.md b/unblock-user-namespace-for-linux-sandbox/README.md index c665185..cd0b3fb 100644 --- a/unblock-user-namespace-for-linux-sandbox/README.md +++ b/unblock-user-namespace-for-linux-sandbox/README.md @@ -1,5 +1,9 @@ # Unblock user namespace for linux-sandbox +## Required permissions + +This action calls `sudo apparmor_parser` locally and does not call the GitHub API. No `GITHUB_TOKEN` permissions are required beyond whatever the rest of the job needs. + Some tests require `linux-sandbox`. Starting with Ubuntu 23.10 Canonical has blocked Linux user namespaces for [security reasons](https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626/1). This action allows `linux-sandbox` to use Linux user namespaces via configuring `apparmor`.