You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Disclaimer
Please point me elsewhere if this isn't the right place to raise this. It seems like the runner only dumps a map it gets from the job context but I couldn't find where system.github.token.permissions is managed.
Describe the bug
When a workflow sets the id-tokenpermission the logs do not include it when reporting what permissions the GITHUB_TOKEN had. This is undesirable from a security and auditing perspective.
Related, but less important: the Attestations [edit: it looks like this was released yesterday] and Discussions permissions which are logged do not appear to be documented.
To Reproduce
Add the below permissions block to a workflow (e.g. a simple example)
permissions:
id-token: write
and check the logs of the workflow run to see that the permissions are reported as
GITHUB_TOKEN Permissions
Metadata: read
Expected behavior
The logs would include (for instance)
This was tested on self-hosted runners in an EMU instance and on GitHub runners in a public repository. The reported version from the public repository are
Current runner version: '2.316.0'
Operating System
Ubuntu
[2](https://github.com/TapdancingRodent/stunning-octo-potato/actions/runs/8894662891/job/24423388853#step:1:2)2.04.4
LTS
Runner Image
Image: ubuntu-22.04
Version: 20240422.1.0
Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240422.1/images/ubuntu/Ubuntu2204-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240422.1
Runner Image Provisioner
2.0.[3](https://github.com/TapdancingRodent/stunning-octo-potato/actions/runs/8894662891/job/24423388853#step:1:3)69.1
What's not working?
See report body above
Job Log Output
See report body above
Runner and Worker's Diagnostic Logs
N/A
The text was updated successfully, but these errors were encountered:
Disclaimer
Please point me elsewhere if this isn't the right place to raise this. It seems like the runner only dumps a map it gets from the job context but I couldn't find where
system.github.token.permissions
is managed.Describe the bug
When a workflow sets the
id-token
permission the logs do not include it when reporting what permissions theGITHUB_TOKEN
had. This is undesirable from a security and auditing perspective.Related, but less important: the
[edit: it looks like this was released yesterday] andAttestations
Discussions
permissions which are logged do not appear to be documented.To Reproduce
Add the below permissions block to a workflow (e.g. a simple example)
and check the logs of the workflow run to see that the permissions are reported as
Expected behavior
The logs would include (for instance)
Runner Version and Platform
This was tested on self-hosted runners in an EMU instance and on GitHub runners in a public repository. The reported version from the public repository are
What's not working?
See report body above
Job Log Output
See report body above
Runner and Worker's Diagnostic Logs
N/A
The text was updated successfully, but these errors were encountered: