Review input 'GITHUB_TOKEN'

[ricardo-dematos]

Since that input GITHUB_TOKEN default value is github.token , there's no need to make it required.

Important: An action can access the GITHUB_TOKEN through the github.token context even if the workflow does not explicitly pass the GITHUB_TOKEN to the action. As a good security practice, you should always make sure that actions only have the minimum access they require by limiting the permissions granted to the GITHUB_TOKEN. For more information, see "Permissions for the GITHUB_TOKEN."

source: Using the GITHUB_TOKEN in a workflow

---

Please, consider changing it's name to token or repo-token, as seen in actions/setup-python and actions/labeler, because it's functionality are similar, thus helping create a standard across the actions available in the GitHub Marketplace - Actions.

[jsoref]

Fair. I've been thinking about renaming all of my settings. I've been using _s because they're easier to reason with in shell, but actions prefer -s.

It'll be a slight migration headache.

I've also been considering moving most of my settings out of the workflow and into a state file. This (and a configuration path) would of course remain, but I'm considering moving most others away, which would resolve a number of points for me...

The required field is mostly unenforced by GitHub. What I'm trying to say is that people shouldn't do:

  with:
    GITHUB_TOKEN: ""

Which would otherwise be legal, but I promise that doing that will not result in a good outcome (as a very large portion of the engine involves talking to GitHub).

(I should add a caveat in that Gitea is previewing actions and I hope (but haven't tested) that it will work with GHES, and it should generally work with nektos/act, so it doesn't precisely need GitHub, it just really wants a GitHub-like environment -- including a token so it can talk to the GitHub-like api server.)

Renaming fields is something I definitely want to do before a 1.0 release (at which point I'd likely drop a number of deprecated fields).

[ricardo-dematos]

The required field is mostly unenforced by GitHub.

The starting point to open this issue was 'GitHub Actions' plugin warning about the missing required field.

[ricardo-dematos]

What I'm trying to say is that people shouldn't do:

  with:
    GITHUB_TOKEN: ""

Which would otherwise be legal, but I promise that doing that will not result in a good outcome (as a very large portion of the engine involves talking to GitHub).

A test to enforce a value for this field should be applied or there's a reason to allow an empty value? 🤔

[jsoref]

The documentation doesn't really explain enough of these things, so I'm not entirely certain if the statement is technically right or wrong:
https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#inputsinput_idrequired
https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions#inputsinput_iddefault

I suppose I could file a bug asking for the documentation to clarify what they mean.

I'll have to test to see what explodes.

I'll probably deprecate GITHUB_TOKEN (at which point I'll drop the required and default) and then add a token w/ a default of github.token and then use GITHUB_TOKEN if present and token if not....

[jsoref]

Fwiw, I've started working on these things. I expect to include changes in prerelease shortly.

[jsoref]

I ran into a bunch of snags trying to redo all of my inputs and punted on this work, so it is not include in v0.0.22. I do intend to work on it.