Remove GH_PAT from all workflows #781
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is groundwork for using `{{ github.token }}` everywhere. We will need to add `permissions` to a few places to make the built-in GitHub Actions workflow integration PAT more powerful than how it comes by default:
https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
|
Amazing Work! Good luck |
|
Core package you should check this repo too, the core functionality written in that repo! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is groundwork for using
{{ github.token }}everywhere. We will need to addpermissionsto a few places to make the built-in GitHub Actions workflow integration PAT more powerful than how it comes by default:https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
I believe this is the optimal way to proceed to make the PR ready:
GH_PAT/tokenthroughenvto other GitHub Actionsactions/checkout- we can probably just not passtokento this right?upptime/uptime-monitor- we should make a PR like this there first and use{{ github.token }}+permissionsthere instead ofGH_PATfirst and then drop theenvhere as a proof of conceptupptime/updates- we should make a PR like this there first and use{{ github.token }}+permissionsthere instead ofGH_PATfirst and then drop theenvhere as a proof of conceptbenc-uk/workflow-dispatch- we should make a contribution there first to not needtokenand instead use{{ github.token }}+permissionsThis is already kind of done here Regression on token permissions benc-uk/workflow-dispatch#52 so theoretically we just need to pass
permissionsinstead oftoken.peaceiris/actions-gh-pages- we should make a contribution there first to not needgithub_tokenand instead use{{ github.token }}+permissionsThis is covered here: https://github.com/peaceiris/actions-gh-pages#%EF%B8%8F-first-deployment-with-github_token. When we don't pass a custom PAT there is an extra step needed in the GitHub Pages setup it seems. IMO worth doing this even with this extra step because that's just one step whereas as of now making the PAT is a series of steps.
GH_PATfrom the main repo (this PR) and addpermissionswith the necessary permissionsI will try to contribute changes to the external dependencies first (
benc-uk/workflow-dispatchandpeaceiris/actions-gh-pages) to see if using{{ github.token }}andpermissionsthere is even feasible. That will tell us whether this whole endeavor is doable at all. I think it should work but I don't know yet.I will leave this draft PR open while I do this and update the steps here as I progress.