Suggested improvements to explanation of id-token: write #32320
Comments
|
The table on this page also mentions I don't understand the relevance of |
|
@simonw Thank you for opening this issue! I'll get this triaged for review ✨ |
|
Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀 |
|
@simonw Hello! 👋 Thank you for your patience while our team reviewed this issue! After discussing this issue with our technical writing team, we are going to loop in one of our Actions SMEs, given the complexity of this topic. We'll provide another update once the Actions SME has reviewed 💛 |
|
@simonw Hi again! 👋 Thank you again for your patience while our Actions SME team reviewed. They wanted to ensure you had a chance to view this portion of the documentation regarding permissioning, and wanted to offer some additional context -
Does this help clarify some of the confusion regarding |
|
This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further. See this blog post on bug reports and the importance of repro steps for more information about the kind of information that may be helpful. |
Code of Conduct
What article on docs.github.com is affected?
The explanation of what
id-token: read/write/nonemeans in a GitHub Actions workflow is still really confusing. Previous issues about this include:id-tokenpermission #14626token-idpermission options #26481I guess the most relevant article is this one: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
What part(s) of the article would you like to see updated?
Here's my understanding of this feature. Feel free to use any of this copy, or correct me if I got something wrong!
The
id-token: writepermission provides a workflow the ability to interact with external services that use OpenID Connect (OIDC).The
writevalue can be better interpreted as meaning "enabled" - no writes occur with this permission, and it does not imply that the workflow has the ability to write to anything within GitHub.Instead, this permission allows the workflow to request an access token from an OIDC supporting external service, such as PyPI or AWS or Google Cloud.
When the GitHub Action workflow runs it will request a token from the relevant service. That service will be able to identify the workflow and repository that is making the request and will only return a token for workflows that it has been configured to allow.
A value of
id-token: readis treated the same asid-token: none(the default) - workflows withoutid-token: writewill be unable to request tokens from external services using OIDC.Additional information
No response
The text was updated successfully, but these errors were encountered: