-
Notifications
You must be signed in to change notification settings - Fork 60k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggested improvements to explanation of id-token: write #32320
Comments
The table on this page also mentions I don't understand the relevance of |
@simonw Thank you for opening this issue! I'll get this triaged for review ✨ |
Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀 |
@simonw Hello! 👋 Thank you for your patience while our team reviewed this issue! After discussing this issue with our technical writing team, we are going to loop in one of our Actions SMEs, given the complexity of this topic. We'll provide another update once the Actions SME has reviewed 💛 |
@simonw Hi again! 👋 Thank you again for your patience while our Actions SME team reviewed. They wanted to ensure you had a chance to view this portion of the documentation regarding permissioning, and wanted to offer some additional context -
Does this help clarify some of the confusion regarding |
This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further. See this blog post on bug reports and the importance of repro steps for more information about the kind of information that may be helpful. |
@nguyenalex836 I can't speak for @simonw but for me that doesn't really make sense, or at least doesn't fully explain what |
@danielcompton Thank you for letting me know! 💛 Would you be open to raising a new, separate issue that includes the specific points that you are looking for clarity on regarding |
I don't think this topic needs a new issue every single time a stale bot closes out the previous one;) I'm afraid it needs a better documentation explaining what the actual permission setting is and what it is for (not the whole OIDC workflow, that one clearly states when you need the permission, own-org vs. outside-org reusables etc. — but what the actual values for that permission mean, and if/when/how they can be set). Ex without the great writeup about OIDC use for deploy-pages I could have only guessed why such permission is necessary to grant, without any more explanation than to just blindly follow the boilerplate. (In case of Connecting to cloud providers like AWS or GCP is pretty well documented here, but the issues cropping up repeatedly are about the lack of documentation for:
I see it being rather unpopular topic with how often it ends up closed out by stale bot, but perhaps it's too obvious for engineers architecting the functionality, but without any visibility into how that values are then used for what in GHA code, we the end users are then left in the dark to just blindly trust the actions' instructions, or keep running in circles between unresolved issues trying to asses the potential impact this setting could have if not used correctly. But if you really want, there's another confused consumer: |
@janbrasna Thank you for the incredibly thoughtful comment! This is certainly a nuanced topic, but just to get us all on the same page, the next development / response on the |
Code of Conduct
What article on docs.github.com is affected?
The explanation of what
id-token: read/write/none
means in a GitHub Actions workflow is still really confusing. Previous issues about this include:id-token
permission #14626token-id
permission options #26481I guess the most relevant article is this one: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
What part(s) of the article would you like to see updated?
Here's my understanding of this feature. Feel free to use any of this copy, or correct me if I got something wrong!
The
id-token: write
permission provides a workflow the ability to interact with external services that use OpenID Connect (OIDC).The
write
value can be better interpreted as meaning "enabled" - no writes occur with this permission, and it does not imply that the workflow has the ability to write to anything within GitHub.Instead, this permission allows the workflow to request an access token from an OIDC supporting external service, such as PyPI or AWS or Google Cloud.
When the GitHub Action workflow runs it will request a token from the relevant service. That service will be able to identify the workflow and repository that is making the request and will only return a token for workflows that it has been configured to allow.
A value of
id-token: read
is treated the same asid-token: none
(the default) - workflows withoutid-token: write
will be unable to request tokens from external services using OIDC.Additional information
No response
The text was updated successfully, but these errors were encountered: