Use more restrictive permissions

[gregoryduckworth]

Rather than use the open GITHUB_TOKEN with the ability to read/write to everything we should advise more restrictive permissions. We should update the documentation to match.

I believe the permissions should be:

permissions:
  contents: write
  issues: write
  pull-requests: write

[Eomm]

+1 I hit this issue today

Permission to Eomm/notion-board.git denied to github-actions[bot].

The token to read by default when creating a new repo (at least I did not set it manually)

Adding the permissions solved the issue 👍🏼

[simoneb]

@Eomm @gregoryduckworth as we're in the process of moving all the actions to a different org, I would wait until that's done to do this change, which is basically only a change in the docs about how to configure the workflows in which the actions are used. We never noticed this because we have a more permissive setting at the org level, but we realized that in newly created orgs the default is different, so it needs to be documented.

[simoneb]

I'm not sure where we stand on this but I believe this wasn't actually done. I'm also not sure about the permissions, the current docs seem to document something different, but I believe that writing to issues may be necessary when the notify-issues setting is enabled (which it is by default).

[gregoryduckworth]

After speaking with @grantmorrison, the repositories I believe are impacted are:

• https://github.com/nearform-actions/optic-release-automation-action
• https://github.com/nearform-actions/github-action-detect-unused-secrets
• https://github.com/nearform-actions/github-action-notify-release
• https://github.com/nearform-actions/optic-release-automation-action
• https://github.com/nearform-actions/github-action-add-issues-to-project
• https://github.com/nearform-actions/github-action-check-linked-issues
• https://github.com/nearform-actions/github-action-todos-to-issue
• https://github.com/nearform-actions/github-action-licenses-export
• https://github.com/nearform-actions/github-action-project-changelog
• https://github.com/nearform-actions/github-action-notify-twitter

[simoneb]

This list only includes repos in this org, which are basically ALL repos. We need to apply this change to ALL repos using this action in the main nearform org too.

[gregoryduckworth]

This list only includes repos in this org, which are basically ALL repos. We need to apply this change to ALL repos using this action in the main nearform org too.

Yeah, @grantmorrison reached out as he was having issues searching in the nearform-actions organisation which was returning zero results on the search, so I've provided them here.

[grantmorrison]

What's the ideal way to proceed?

I could manually update all the repos but this sounds problematic for various reasons:

1. There are 80 or so results in the NearForm org and I don't think that's a manageable number of PRs
2. I don't trust I'm seeing a full list of results as per Gregs explanation

@simoneb, you mentioned some form of automation which might help but I'm unsure what that is or how I might take advantage of it. Are you able to provide some details in the ticket/comments?

[github-actions]

🎉 This issue has been resolved in version 4.4.6 🎉

The release is available on:

• GitHub release

Your optic bot 📦🚀