Skip to content

Feature: Restricted Permissions

Jump to bottom Edit New page
Josh Soref edited this page Feb 25, 2024 · 4 revisions

Restricted Permissions

Included in v0.0.20

GitHub introduced permissions for GITHUB_TOKEN which enables one to restrict tokens to just the necessary permissions.

check-spelling has a couple of distinct phases that have differing requirements.

It's better from a security perspective to use "least privilege".

Requirements by phase

checking

  • contents: read -- to read the repository (to check it out) -- for a pull_request_target, this may include untrusted content (the merge)
  • pull-requests: read -- to determine if this push event should be skipped in favor of a related pull_request_target event.

commenting

  • contents: write -- if it's commenting on a commit (i.e. on: push)
  • pull-requests: write -- if it's commenting on a PR (i.e. on: pull_request_target)

updating branches

  • contents: write -- to write new commits
  • pull-requests: write -- to collapse existing comments and write a new comment

Workflow

FAQ | Showcase | Event descriptions | Configuration information | Known Issues | Possible features | Deprecations | Release notes | Helpful scripts

Add a custom sidebar
Clone this wiki locally