-
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathaccess-token.repo-template.yaml
65 lines (61 loc) · 3.27 KB
/
access-token.repo-template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
origin: __CHANGE_ME_TO_GITHUB_REPO_OWNER__/GITHUB_REPO_NAME # e.g. qoomon/sandbox
# Grant repository scoped permissions
# NOTE: Every statement will always implicitly grant `metadata: read` permission.
statements:
- subjects:
# === Subject Pattern examples ===
#
# grant access to jobs running on the main branch
# - repo:${origin}:ref:refs/heads/main
# grant access jobs running on any tag starting with a v
# - repo:${origin}:ref:refs/tags/v*
# grant access to jobs using production environment
# - repo:${origin}:environment:production
# grant access to jobs of a specific workflow file
# - repo:${origin}:workflow_ref:${origin}/.github/workflows/build.yml@refs/heads/main
# === Subject Pattern Variables and Wildcards ===
#
# ${origin} - resolves to the origin repository name e.g. qoomon/sandbox
# '*' - match every character except ':'
# ':**' - match every following claim, can only be used at the end of a subject pattern
# === GitHub Actions OIDC Token Subjects ===
#
# A GitHub Actions job will always have the following subjects
# The original OIDC token 'sub' claim e.g. repo:${origin}:ref:refs/heads/main or repo:${origin}:environment:production
# repo:${origin}:ref:<ref> e.g. repo:${origin}:ref:refs/heads/main
# repo:${origin}:environment:<environment> e.g. repo:${origin}:environment:production
# repo:${origin}:workflow_ref:<workflow_ref> e.g. repo:${origin}:workflow_ref:${origin}/.github/workflows/build.yml@refs/heads/main
# repo:${origin}:job_workflow_ref:<job_workflow_ref> e.g. repo:${origin}:job_workflow_ref:${origin}/.github/workflows/build.yml@refs/heads/main
permissions: # https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps
# === Repository permissions ===
#
# actions: read # read or write
# actions-variables: read # read or write
# administration: read # read or write - BE AWARE 'administration' scope can not be completely limited to a repository e.g. create new repositories is still possible
# checks: read # read or write
# codespaces: read # read or write
# codespaces-lifecycle-admin: read # read or write
# codespaces-metadata: read # read or write
# codespaces-secrets: read # write
# contents: read # read or write
# custom-properties: read # read or write
# dependabot-secrets: read # read or write
# deployments: read # read or write
# discussions: read # read or write
# environments: read # read or write
# issues: read # read or write
# merge-queues: read # read or write
# packages: read # read or write
# pages: read # read or write
# projects: read # read or write or admin
# pull-requests: read # read or write
# repository-advisories: read # read or write
# repository-hooks: read # read or write
# repository-projects: read # read or write or admin
# secret-scanning-alerts: read # read or write
# secrets: read # read or write
# security-events: read # read or write
# statuses: read # read or write
# team-discussions: read # read or write
# vulnerability-alerts: read # read or write
# workflows: write # only write