Feature: Restricted Permissions
Josh Soref edited this page Feb 25, 2024
·
4 revisions
Included in v0.0.20
GitHub introduced permissions for GITHUB_TOKEN which enables one to restrict tokens to just the necessary permissions.
check-spelling has a couple of distinct phases that have differing requirements.
It's better from a security perspective to use "least privilege".
-
contents: read
-- to read the repository (to check it out) -- for apull_request_target
, this may include untrusted content (the merge) -
pull-requests: read
-- to determine if thispush
event should be skipped in favor of a relatedpull_request_target
event.
-
contents: write
-- if it's commenting on a commit (i.e.on: push
) -
pull-requests: write
-- if it's commenting on a PR (i.e.on: pull_request_target
)
-
contents: write
-- to write new commits -
pull-requests: write
-- to collapse existing comments and write a new comment
- https://github.com/check-spelling/spell-check-this/blob/main/.github/workflows/spelling.yml defines a workflow that is compatible with these requirements