|
1 | 1 | # GitHub Workflow Guide |
2 | 2 |
|
3 | | -- Version: 1.0.0 |
| 3 | +- Version: 1.0.1 |
4 | 4 | - Author: |
5 | 5 | - Nathan Nellans |
6 | 6 | - Email: me@nathannellans.com |
|
110 | 110 |
|
111 | 111 | # Permissions for the GITHUB_TOKEN |
112 | 112 | [Documentation - Permissions for the GitHub Token](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) |
113 | | -- Use this if you want to modify the default permissions granted to the GITHUB_TOKEN |
| 113 | +- Use this if you want to modify the default permissions granted to the `GITHUB_TOKEN` |
114 | 114 | - Optional, the default can be set (by an admin) to either a `permissive` preset or a `restricted` preset (more info at the link above) |
115 | | -- As a good security practice, you should grant the GITHUB_TOKEN the least required access |
| 115 | +- As a good security practice, you should grant the `GITHUB_TOKEN` the least required access |
116 | 116 | - When the `permissions` key is used, all unspecified permissions are set to `none`, with the exception of the `metadata` scope, which always gets `read` access. |
117 | 117 | - Supported scopes for `permissions`: workflow-level, job-level |
118 | 118 |
|
@@ -141,12 +141,13 @@ permissions: {} |
141 | 141 | ``` |
142 | 142 |
|
143 | 143 | More Info: |
144 | | -- When you enable GitHub Actions, a GitHub App will be installed on your repo |
145 | | -- The GITHUB_TOKEN secret is used to hold an installation access token for that app |
| 144 | +- When you enable GitHub Actions, then a GitHub App will be installed on your repo |
| 145 | + - The `GITHUB_TOKEN` secret is used to hold an installation access token for that app |
146 | 146 | - Before each job begins, GitHub fetches an unique installation access token for the job |
147 | 147 | - The token expires when a job finishes or after a maximum of 24 hours. |
148 | 148 | - The token can authenticate on behalf of the GitHub App installed on your repo |
149 | 149 | - The token's permissions are limited to the repo that contains your workflow |
| 150 | +- [My blog post all about GitHub Apps and the `GITHUB_TOKEN`](https://www.nathannellans.com/post/github-apis-github-tokens-and-github-action-workflows) |
150 | 151 |
|
151 | 152 | # Default Settings |
152 | 153 | [Documentation - Setting Default Values for Jobs](https://docs.github.com/en/actions/using-jobs/setting-default-values-for-jobs) |
|
546 | 547 | done <<< "$SENSITIVE" |
547 | 548 |
|
548 | 549 | # In this example, the sensitive value will be assigned to the variable called SENSITIVE |
549 | | -# The command used on line 1 will be logged in plain-text in the logs, so it must not include sensitive values |
550 | | -# (this is a plain-text YAML file, so you would never do that in the first place, right?) |
| 550 | +# The command used on line 1 will be logged in plain-text, so it must not include sensitive values (but, this is a plain-text YAML file, so you would never do that in the first place, right?) |
551 | 551 | # The value assigned to the variable is then read, line-by-line, and a mask is applied to each line's value |
552 | 552 |
|
553 | | -# An example of a safe command you could use would be something like this: |
| 553 | +# An example of a safe command you could use: |
554 | 554 | SENSITIVE="$(az keyvault secret show --name MySecretName --vault-name MyVaultName --query value --output tsv)" |
555 | 555 | ``` |
556 | 556 |
|
|
0 commit comments