Update GitHub Actions's permissions
automatically.
Before | After |
---|---|
- Static Analytics
- Detect using Actions and add
permissions
field to your action yaml file - Support 500+ GitHub Actions
Install with npm:
npm install @pkgdeps/update-github-actions-permissions --global
or Install and Run via npx
command:
npx @pkgdeps/update-github-actions-permissions ".github/workflows/*.{yaml,yml}"
Usage
$ update-github-actions-permissions "[file|glob]"
Options
--defaultPermissions [String] "write-all" or "read-all" or "{}". Default: "write-all"
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
--verbose [Boolean] If enable verbose, output debug info.
--use-rule-definitions [String[]] Use rule definitions. Default: ["default", "step-security"]
Examples
$ update-github-actions-permissions ".github/workflows/test.yml"
# multiple inputs
$ update-github-actions-permissions ".github/workflows/test.yml" ".github/workflows/publish.yml"
$ update-github-actions-permissions ".github/workflows/*.{yml,yaml}"
This tool manage permissions
in actions.yml.
If you want to improve the permissions
definitions, please edit actions.yml.
- Edit actions.yml
- Submit a Pull Request
📝 This tool includes step-security/secure-repo definitions.
If same action is defined in both, this tool prefer to use actions.yml.
This order can be changed via --use-rule-definitions
flag.
No require any permissions:
actions/setup-node:
Read Content permissions:
actions/checkout:
permissions:
contents: read
Issue/Pull Request comments permissions:
actions/stale:
permissions:
issues: write
pull-requests: write
Update content and create Pull Request permissions:
peter-evans/create-pull-request:
permissions:
contents: write
pull-requests: write
References
- Read your workflow file
- Collect
uses
actions orenv
which is using${{ secrets.GITHUB_TOKEN }}
- Match actions with actions.yml
- If found unknown actions, write
defaultPermissions
(permissions: write-all
) to workflow file. - If found
env
usage, writedefaultPermissions
(permissions: write-all
) to workflow file.- 📝
NODE_AUTH_TOKEN
is special pattern. Current treats it ascontents: read
andpackages: write
.
- 📝
- Else, put
permission: <combined permissions>
to workflow file.
- 2023-02-03: GitHub change default permission to
contents: read
See Releases page.
- GitHubSecurityLab/actions-permissions: GitHub token permissions Monitor and Advisor actions
- This Actions do dymamic analytics
Install devDependencies and Run npm test
:
npm test
Pull requests and stars are always welcome.
For bugs and feature requests, please create an issue.
- Fork it!
- Create your feature branch:
git checkout -b my-new-feature
- Commit your changes:
git commit -am 'Add some feature'
- Push to the branch:
git push origin my-new-feature
- Submit a pull request :D
This package is licensed under the AGPL(GNU Affero General Public License) v3.0. Because this package includes AGPL-licensed third-party resources like step-security/secure-repo.
- step-security.yml: AGPL v3.0 ©️ step-security/secure-repo
However, Next files are available under the MIT license:
bin/*
src/*
lib/*
module/*
test/*
action.yml