Included in v0.0.20
GitHub introduced permissions for GITHUB_TOKEN which enables one to restrict tokens to just the necessary permissions.
check-spelling has a couple of distinct phases that have differing requirements.
It's better from a security perspective to use "least privilege".
contents: read-- to read the repository (to check it out) -- for apull_request_target, this may include untrusted content (the merge)pull-requests: read-- to determine if thispushevent should be skipped in favor of a relatedpull_request_targetevent.
contents: write-- if it's commenting on a commit (i.e.on: push)pull-requests: write-- if it's commenting on a PR (i.e.on: pull_request_target)
contents: write-- to write new commitspull-requests: write-- to collapse existing comments and write a new comment
- https://raw.githubusercontent.com/check-spelling/spell-check-this/main/.github/workflows/spelling.yml defines a workflow that is compatible with these requirements
FAQ | Showcase | Event descriptions | Configuration information | Known Issues | Possible features | Deprecations | Release notes | Helpful scripts