Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add default GitHub token #195

Closed
jawnsy opened this issue May 23, 2023 · 2 comments · Fixed by #196
Closed

Add default GitHub token #195

jawnsy opened this issue May 23, 2023 · 2 comments · Fixed by #196

Comments

@jawnsy
Copy link

jawnsy commented May 23, 2023

If you define an action input for the GitHub token, you can include it by default, so that users don't need to write boilerplate like:

env:
  GITHUB_TOKEN: ${{ github.token }}

For an example, see https://github.com/styfle/cancel-workflow-action/blob/034d0e91921de4e82c4b8c958df266ca615543e8/action.yml#L15-L18 and https://github.com/peter-evans/create-issue-from-file/blob/ba0d2ca88c3d42f4e20ad4f1018fdb100f250b42/action.yml#LL4C1-L6C33
@mre mre mentioned this issue May 23, 2023
Merged
@mre
Copy link
Member

mre commented May 23, 2023

Interesting! I did not know that. Can you take a look at #196 to see if it looks fine?

@jawnsy
Copy link
Author

jawnsy commented May 24, 2023

Looks good to me! I don't know if there's a way to check that lychee is actually picking up the token (e.g. with verbose logging or similar), that would be the only thing I'd suggest just to make sure everything is working as we think it is :)

@mre mre closed this as completed in #196 Jun 16, 2023
mtardy added a commit to cilium/tetragon that referenced this issue Oct 22, 2024
@mtardy
workflows: fix usage of untrusted input in check links
630be43 
A user could create a branch with a particular name that would trigger a
command injection because we use this input directly in the shell
scripts generation. See more details in
https://securitylab.github.com/resources/github-actions-untrusted-input/.

This also updates the lychee action that no longer need an explicit
GITHUB_TOKEN env variable lycheeverse/lychee-action#195 and reduce the
permissions needed by the token in both check links workflows.

Reported-by: Piergiorgio Ladisa <piergiorgio.ladisa@hotmail.it>
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
@mtardy mtardy mentioned this issue Oct 22, 2024
Merged
mtardy added a commit to cilium/tetragon that referenced this issue Oct 22, 2024
@mtardy
workflows: fix usage of untrusted input in check links
f19bbe1 
A user could create a branch with a particular name that would trigger a
command injection because we use this input directly in the shell
scripts generation. See more details in
https://securitylab.github.com/resources/github-actions-untrusted-input/.

This also updates the lychee action that no longer need an explicit
GITHUB_TOKEN env variable lycheeverse/lychee-action#195 and reduce the
permissions needed by the token in both check links workflows.

Reported-by: Piergiorgio Ladisa <piergiorgio.ladisa@hotmail.it>
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
mtardy added a commit to cilium/tetragon that referenced this issue Oct 22, 2024
@mtardy
workflows: fix usage of untrusted input in check links
2017609 
A user could create a branch with a particular name that would trigger a
command injection because we use this input directly in the shell
scripts generation. See more details in
https://securitylab.github.com/resources/github-actions-untrusted-input/.

This also updates the lychee action that no longer need an explicit
GITHUB_TOKEN env variable lycheeverse/lychee-action#195 and reduce the
permissions needed by the token in both check links workflows.

Reported-by: Piergiorgio Ladisa <piergiorgio.ladisa@hotmail.it>
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Automatically pass Github token lycheeverse/lychee-action
2 participants
@jawnsy @mre