Skip to content

docs: clarify GITHUB_TOKEN permissions needed for private repos #1574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 7, 2025
Merged

docs: clarify GITHUB_TOKEN permissions needed for private repos #1574

merged 3 commits into from
Sep 7, 2025

Conversation

@pankajtaneja5
Copy link
Contributor

@pankajtaneja5 pankajtaneja5 commented Aug 31, 2025
edited by justaugustus
Loading

What

  • Add a short subsection showing the additional job-level read permissions often needed when running Scorecard Action on private repositories (issues, pull-requests, checks), alongside the existing guidance for id-token/security-events.
  • Include a minimal YAML example and brief rationale.

Why

Notes

  • Keeps least-privilege: adds only read scopes needed for the job; write scopes are limited to security-events (SARIF) and id-token (if publishing).

Fixes #1248

@pankajtaneja5 pankajtaneja5 changed the title docs: clarify GITHUB_TOKEN permissions needed for private repos (fixes #1248) docs: clarify GITHUB_TOKEN permissions needed for private repos (fixes #1378) Sep 1, 2025
@pankajtaneja5
Copy link
Contributor Author

pankajtaneja5 commented Sep 1, 2025
edited
Loading

Hi maintainers — this PR clarifies GITHUB_TOKEN read permissions needed for private repos (per #1248 ) and adds a minimal YAML example plus rationale. It’s a docs-only change; DCO is passing. When you have a moment, could a docs/Action maintainer take a look and (if appropriate) add a documentation label? Thanks!
cc @spencerschrock @laurentsimon

@pankajtaneja5 pankajtaneja5 changed the title docs: clarify GITHUB_TOKEN permissions needed for private repos (fixes #1378) docs: clarify GITHUB_TOKEN permissions needed for private repos (fixes #1248) Sep 1, 2025
spencerschrock
spencerschrock reviewed Sep 3, 2025
View reviewed changes
Copy link
Member

@spencerschrock spencerschrock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution, just a question or two

README.md Outdated
Comment on lines 113 to 118
steps:
- uses: actions/checkout@v4
- uses: ossf/scorecard-action@v2
with:
results_file: results.sarif
results_format: sarif
Copy link
Member

@spencerschrock spencerschrock Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can probably omit the steps section. We tend to recommend SHA pinning, so don't want to have conflicting guidance. The important thing for this doc section is just the job level permissions block

Copy link
Contributor Author

@pankajtaneja5 pankajtaneja5 Sep 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call—done. I removed the entire steps block so this section shows only the job-level permissions example.

README.md Outdated
Comment on lines 111 to 112
# (optional) if your workflow needs to read workflow metadata:
actions: read
Copy link
Member

@spencerschrock spencerschrock Sep 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of curiosity, did you test if actions: read was necessary? I see it's marked optional?

Copy link
Contributor Author

@pankajtaneja5 pankajtaneja5 Sep 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tested on a private repo with default read permissions and Scorecard runs fine without actions: read. It’s not required by the action; only add it if a workflow step explicitly reads Actions metadata. I’ve removed actions: read from the example to keep it minimal.

@pankajtaneja5 pankajtaneja5 requested a review from a team as a code owner September 7, 2025 16:16
@justaugustus justaugustus changed the title docs: clarify GITHUB_TOKEN permissions needed for private repos (fixes #1248) docs: clarify GITHUB_TOKEN permissions needed for private repos Sep 7, 2025
@justaugustus justaugustus enabled auto-merge (squash) September 7, 2025 16:42
@justaugustus justaugustus added the documentation Improvements or additions to documentation label Sep 7, 2025
justaugustus
justaugustus approved these changes Sep 7, 2025
View reviewed changes
Copy link
Member

@justaugustus justaugustus left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this docs improvement, @pankajtaneja5!

@justaugustus justaugustus changed the title docs: clarify GITHUB_TOKEN permissions needed for private repos docs: clarify GITHUB_TOKEN permissions needed for private repos Sep 7, 2025
@justaugustus justaugustus enabled auto-merge (squash) September 7, 2025 16:44
@justaugustus justaugustus merged commit 7a0b15a into ossf:main Sep 7, 2025
9 checks passed
This was referenced Oct 6, 2025
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spencerschrock spencerschrock spencerschrock left review comments

@justaugustus justaugustus justaugustus approved these changes

@jeffmendoza jeffmendoza Awaiting requested review from jeffmendoza jeffmendoza is a code owner automatically assigned from ossf/scorecard-maintainers

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Suggested GITHUB_TOKEN permissions in docs not sufficent to run on (at least) private repo's

3 participants

@pankajtaneja5 @justaugustus @spencerschrock