New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggested improvements to explanation of id-token: write #32320
Comments
The table on this page also mentions I don't understand the relevance of |
@simonw Thank you for opening this issue! I'll get this triaged for review ✨ |
Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀 |
@simonw Hello! 👋 Thank you for your patience while our team reviewed this issue! After discussing this issue with our technical writing team, we are going to loop in one of our Actions SMEs, given the complexity of this topic. We'll provide another update once the Actions SME has reviewed 💛 |
@simonw Hi again! 👋 Thank you again for your patience while our Actions SME team reviewed. They wanted to ensure you had a chance to view this portion of the documentation regarding permissioning, and wanted to offer some additional context -
Does this help clarify some of the confusion regarding |
This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further. See this blog post on bug reports and the importance of repro steps for more information about the kind of information that may be helpful. |
Code of Conduct
What article on docs.github.com is affected?
The explanation of what
id-token: read/write/none
means in a GitHub Actions workflow is still really confusing. Previous issues about this include:id-token
permission #14626token-id
permission options #26481I guess the most relevant article is this one: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
What part(s) of the article would you like to see updated?
Here's my understanding of this feature. Feel free to use any of this copy, or correct me if I got something wrong!
The
id-token: write
permission provides a workflow the ability to interact with external services that use OpenID Connect (OIDC).The
write
value can be better interpreted as meaning "enabled" - no writes occur with this permission, and it does not imply that the workflow has the ability to write to anything within GitHub.Instead, this permission allows the workflow to request an access token from an OIDC supporting external service, such as PyPI or AWS or Google Cloud.
When the GitHub Action workflow runs it will request a token from the relevant service. That service will be able to identify the workflow and repository that is making the request and will only return a token for workflows that it has been configured to allow.
A value of
id-token: read
is treated the same asid-token: none
(the default) - workflows withoutid-token: write
will be unable to request tokens from external services using OIDC.Additional information
No response
The text was updated successfully, but these errors were encountered: