Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log GitHub Actions runtime token access controls #707

Merged
merged 1 commit into from
Jan 12, 2023
Merged

Log GitHub Actions runtime token access controls #707

merged 1 commit into from
Jan 12, 2023

Conversation

crazy-max
Copy link
Member

@crazy-max crazy-max commented Oct 19, 2022
edited
Loading

fixes #433

This logs GitHub Actions runtime token access controls in the workflow so users can figure out if cache scope is readable/writable:

Example with this PR: https://github.com/docker/build-push-action/actions/runs/3283669905/jobs/5408685907#step:4:14

  [
    {
      "Scope": "refs/pull/707/merge",
      "Permission": 3
    },
    {
      "Scope": "refs/heads/master",
      "Permission": 1
    }
  ]

Push on master:

  [
    {
      "Scope": "refs/heads/master",
      "Permission": 3
    }
  ]

Permission:

  • 1: read
  • 2: write
  • 3: read/write

Signed-off-by: CrazyMax crazy-max@users.noreply.github.com

@crazy-max crazy-max marked this pull request as ready for review October 19, 2022 17:30
@crazy-max crazy-max mentioned this pull request Oct 19, 2022
Closed
tonistiigi
tonistiigi reviewed Oct 19, 2022
View reviewed changes
Copy link
Member

@tonistiigi tonistiigi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be behind the debug option that is provided to workflows?

@crazy-max
Copy link
Member Author

Should this be behind the debug option that is provided to workflows?

I'm not sure if that would be useful because ACTIONS_STEP_DEBUG secret needs to be set and therefore workflow re-triggered which can lead to inconvenient behavior.
Let's say you tagged a release and cache doesn't seem to work properly, you would have to trigger this workflow again with ACTIONS_STEP_DEBUG secret set to figure out what's going on and depending what this workflow does when releasing a project, this could overwrite release files, pushed image, etc... to just check scopes.

@crazy-max
log GitHub Actions runtime token access controls
f9ccca0 
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
@crazy-max crazy-max merged commit 1d910c8 into docker:master Jan 12, 2023
@crazy-max crazy-max deleted the gh-runtime-token-info branch January 12, 2023 18:50
@crazy-max crazy-max mentioned this pull request Jun 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tonistiigi tonistiigi tonistiigi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

gha Cache not Used With Tagged Releases
2 participants
@crazy-max @tonistiigi