🐡
GitHub AppsのInstallation Tokenに指定できるパーミッションって何がある?
GitHub Actionsで fine-Granted Access Token を使っている部分をGitHub Apps Installation Tokenに移行する作業をしばらく行なっていた。
GitHub Apps Installation Tokenについては次の記事が詳しい。
GitHub Action内でInstallation Tokenを生成する場合、GitHubから公式のActionが出ているため、これを使えば良い。
ところで、 create-github-app-token にはTokenに付与したいpermissionを指定する必要がある。例えばPull Requestの変更を行いたい場合には以下のようにする。
steps:
- uses: actions/create-github-app-token@v2
id: app-token
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
permission-pull-requests: write
この permission-* 部分には任意の権限を指定することができるが、どのような文字列を指定するのが正しいのかよく分からずに使っていた。
steps:
- uses: actions/create-github-app-token@v2
id: app-token
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
permission-???: write # <= Organization Teamにレビュー依頼したい場合、何を設定するべきか?
ここに指定できる文字列はある程度のルールに従っているものの、必ずしも分かりやすくはない。例えば、Organization Projectに関する権限は permission-organization_projects である一方、Organization Teamに関する権限は permission-members である。命名に一貫性がない。[1]
存在しないpermissionを指定するとActionが失敗するので、GitHub Appsの権限設定画面からそれらしい文字列を持ってきて試行錯誤していたのだが、先日 create-github-app-token のリポジトリ内に設定可能な権限の一覧が存在することに気がついた。
長いのでpermission名とdescriptionだけを一覧してみた。以下がそのリストである。
{
"key": "actions",
"description": "The level of permission to grant the access token for GitHub Actions workflows, workflow runs, and artifacts."
},
{
"key": "administration",
"description": "The level of permission to grant the access token for repository creation, deletion, settings, teams, and collaborators creation."
},
{
"key": "checks",
"description": "The level of permission to grant the access token for checks on code."
},
{
"key": "codespaces",
"description": "The level of permission to grant the access token to create, edit, delete, and list Codespaces."
},
{
"key": "contents",
"description": "The level of permission to grant the access token for repository contents, commits, branches, downloads, releases, and merges."
},
{
"key": "dependabot_secrets",
"description": "The level of permission to grant the access token to manage Dependabot secrets."
},
{
"key": "deployments",
"description": "The level of permission to grant the access token for deployments and deployment statuses."
},
{
"key": "environments",
"description": "The level of permission to grant the access token for managing repository environments."
},
{
"key": "issues",
"description": "The level of permission to grant the access token for issues and related comments, assignees, labels, and milestones."
},
{
"key": "metadata",
"description": "The level of permission to grant the access token to search repositories, list collaborators, and access repository metadata."
},
{
"key": "packages",
"description": "The level of permission to grant the access token for packages published to GitHub Packages."
},
{
"key": "pages",
"description": "The level of permission to grant the access token to retrieve Pages statuses, configuration, and builds, as well as create new builds."
},
{
"key": "pull_requests",
"description": "The level of permission to grant the access token for pull requests and related comments, assignees, labels, milestones, and merges."
},
{
"key": "repository_custom_properties",
"description": "The level of permission to grant the access token to view and edit custom properties for a repository, when allowed by the property."
},
{
"key": "repository_hooks",
"description": "The level of permission to grant the access token to manage the post-receive hooks for a repository."
},
{
"key": "repository_projects",
"description": "The level of permission to grant the access token to manage repository projects, columns, and cards."
},
{
"key": "secret_scanning_alerts",
"description": "The level of permission to grant the access token to view and manage secret scanning alerts."
},
{
"key": "secrets",
"description": "The level of permission to grant the access token to manage repository secrets."
},
{
"key": "security_events",
"description": "The level of permission to grant the access token to view and manage security events like code scanning alerts."
},
{
"key": "single_file",
"description": "The level of permission to grant the access token to manage just a single file."
},
{
"key": "statuses",
"description": "The level of permission to grant the access token for commit statuses."
},
{
"key": "vulnerability_alerts",
"description": "The level of permission to grant the access token to manage Dependabot alerts."
},
{
"key": "workflows",
"description": "The level of permission to grant the access token to update GitHub Actions workflow files."
},
{
"key": "members",
"description": "The level of permission to grant the access token for organization teams and members."
},
{
"key": "organization_administration",
"description": "The level of permission to grant the access token to manage access to an organization."
},
{
"key": "organization_custom_roles",
"description": "The level of permission to grant the access token for custom repository roles management."
},
{
"key": "organization_custom_org_roles",
"description": "The level of permission to grant the access token for custom organization roles management."
},
{
"key": "organization_custom_properties",
"description": "The level of permission to grant the access token for custom property management."
},
{
"key": "organization_copilot_seat_management",
"description": "The level of permission to grant the access token for managing access to GitHub Copilot for members of an organization with a Copilot Business subscription. This property is in public preview and is subject to change."
},
{
"key": "organization_announcement_banners",
"description": "The level of permission to grant the access token to view and manage announcement banners for an organization."
},
{
"key": "organization_events",
"description": "The level of permission to grant the access token to view events triggered by an activity in an organization."
},
{
"key": "organization_hooks",
"description": "The level of permission to grant the access token to manage the post-receive hooks for an organization."
},
{
"key": "organization_personal_access_tokens",
"description": "The level of permission to grant the access token for viewing and managing fine-grained personal access token requests to an organization."
},
{
"key": "organization_personal_access_token_requests",
"description": "The level of permission to grant the access token for viewing and managing fine-grained personal access tokens that have been approved by an organization."
},
{
"key": "organization_plan",
"description": "The level of permission to grant the access token for viewing an organization's plan."
},
{
"key": "organization_projects",
"description": "The level of permission to grant the access token to manage organization projects and projects public preview (where available)."
},
{
"key": "organization_packages",
"description": "The level of permission to grant the access token for organization packages published to GitHub Packages."
},
{
"key": "organization_secrets",
"description": "The level of permission to grant the access token to manage organization secrets."
},
{
"key": "organization_self_hosted_runners",
"description": "The level of permission to grant the access token to view and manage GitHub Actions self-hosted runners available to an organization."
},
{
"key": "organization_user_blocking",
"description": "The level of permission to grant the access token to view and manage users blocked by the organization."
},
{
"key": "team_discussions",
"description": "The level of permission to grant the access token to manage team discussions and related comments."
},
{
"key": "email_addresses",
"description": "The level of permission to grant the access token to manage the email addresses belonging to a user."
},
{
"key": "followers",
"description": "The level of permission to grant the access token to manage the followers belonging to a user."
},
{
"key": "git_ssh_keys",
"description": "The level of permission to grant the access token to manage git SSH keys."
},
{
"key": "gpg_keys",
"description": "The level of permission to grant the access token to view and manage GPG keys belonging to a user."
},
{
"key": "interaction_limits",
"description": "The level of permission to grant the access token to view and manage interaction limits on a repository."
},
{
"key": "profile",
"description": "The level of permission to grant the access token to manage the profile settings belonging to a user."
},
{
"key": "starring",
"description": "The level of permission to grant the access token to list and manage repositories a user is starring."
}
内部的にはGitHub APIの schemas から取得しているようだ。説明も添えられていて分かりやすいのでメモがわりに残しておく。
OctokitOpenapi.schemas["api.github.com"].components.schemas[
"app-permissions"
]
-
実は一貫性があり、organizationとrepositoryの両方に存在するオブジェクトには
organization_prefixがつくのだが、GitHub上で扱われるオブジェクトを全て頭に入れておく必要があり、現実的ではない。 ↩︎
Discussion