Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can GITHUB_TOKEN be used in place of PAT (github update) #147

Open
dhruvCW opened this issue Sep 9, 2022 · 8 comments
Open

Can GITHUB_TOKEN be used in place of PAT (github update) #147

dhruvCW opened this issue Sep 9, 2022 · 8 comments

Comments

@dhruvCW
Copy link

dhruvCW commented Sep 9, 2022

Hi love this action 馃嵒

based on this post from github https://github.blog/changelog/2022-09-08-github-actions-use-github_token-with-workflow_dispatch-and-repository_dispatch/

I was wondering does this mean its possible to use this action entirely with just the GITHUB_TOKEN secret and no longer require a PAT ?
@dhruvCW
Copy link
Author

dhruvCW commented Sep 9, 2022

spoiler alert it seems it does work as expected 馃憤

@peter-evans
Copy link
Owner

Hi @dhruvCW

I saw that blog post, too. Thank you for testing it!

I've not had chance to test it myself yet, but my guess is that there are still situations where you might need a PAT. For example, if the dispatch is to a remote repository, not the local one associated with the GITHUB_TOKEN. So there are a few things I want to test before updating documentation, or even the action itself.

@rijkvanzanten
Copy link

Heya! Just wanted to chime in here and also confirm that it seems to work as expected with a GITHUB_TOKEN as long as your workflow is on the current repo (private or public) 馃殌

@terrabitz
Copy link

Just to throw my 2 cents here, I found that I was able to run using the GITHUB_TOKEN, but it needed a couple extra permissions to do so:

permissions:
  pull-requests: write  # For doing the emoji reaction on a PR comment
  issues: write  # For doing the emoji reaction on an issue comment
  contents: write  # For executing the repository_dispatch event

This will only work for the local repository though. If you want to call a remote repo, you have to use a classic PAT. (The new fine-grained PATs won't work until GitHub adds support for them in the GraphQL API)

@geemus
Copy link

geemus commented May 11, 2023

When I tried to do this, I unfortunately have had a bit less luck. I tried passing the GITHUB_TOKEN with and without permissions and in both cases ended up with Command '...' is not configured for the user's permission level 'none'.. I also tried changing the permission to none, but then I just end up with an error about the resource not being accessible. Any advice on what I might be missing?

We previously had it working with a PAT_TOKEN, which we can certainly switch back to, I just thought this might be a bit nicer (and would stop claiming everything was being done on behalf of the PAT_TOKEN owner).

@steve-todorov
Copy link

steve-todorov commented May 30, 2023
edited

@geemus 3 weeks ago I was here and attempted @terrabitz 's solution which worked fine on a public repository. Today I was doing the same for a PRIVATE repository and encountered your problem. It looks like this specifically doesn't work for PRIVATE repositories.

My guess is the issued gh token via the permissions key does not actually contain the collaborator permission json that is expected by the typescript.

The only way it works with a private repository is by using PAT from a bot.

@peter-evans The way to reproduce this is by going to the GraphQL Explorer and typing this:

query {
  repository(owner: "x", name: "y") {
    collaborators(query: "z") {
      edges {
        permission
      }
    }
  }
}

When logging into the GQL Explorer be sure to be a member of an organization which does not allow the GraphQL API Client access. After executing the query against an organization to whom you are a member and have allowed access you will get something like this:

{
  "data": {
    "repository": {
      "collaborators": {
        "edges": [
          {
            "permission": "ADMIN"
          }
        ]
      }
    }
  }
}

But when you query an organization which you have not allowed GraphQL to query you will get something like this:

{
  "data": {
    "repository": {
      "collaborators": {
        "edges": [
            // from memory I believe this was empty or the "permission" key was just an empty string.
         ]
      }
    }
  }
}

What's interesting is that public repositories work just fine (here's an example of s3fs-nio where we're using it with permissions instead of PAT)

@geemus
Copy link

geemus commented May 30, 2023

@steve-todorov thanks for the detailed additional info, I was definitely also trying to do this on a private repo when I saw the issue as you had surmised.

@OliverMKing OliverMKing mentioned this issue Jun 13, 2023
Merged
12 tasks
@tgharold
Copy link

if the dispatch is to a remote repository, not the local one associated with the GITHUB_TOKEN.

We created a GitHub App and used https://github.com/tibdex/github-app-token to generate a new GITHUB_TOKEN to use in the rest of our workflow. That GitHub App was then granted the necessary roles/permissions to do what it needed.

The downside is that we had to feed a secret (the private_key value) into the action via an org-level secret. But it was easy enough to then use the generated token in the rest of the workflow's steps. The step after using tibdex/github-app-token rewrites the env.GITHUB_TOKEN with the new one.

run: echo "GITHUB_TOKEN=${{ steps.generate_token.outputs.token }}" >> $GITHUB_ENV

@seisman seisman mentioned this issue Jan 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@geemus @steve-todorov @tgharold @rijkvanzanten @terrabitz @peter-evans @dhruvCW