Skip to content

Do not set permissions for jobs with GITHUB_TOKEN in job level env variableΒ #2479

@varunsh-coder

Description

@varunsh-coder

There is an error condition to not set permissions for jobs with GITHUB_TOKEN in step level env variable

const errorSecretInRunStepEnvVariable = "KnownIssue-2: Jobs with run steps that use token in environment variable are not supported"

But if env variable is set at job level, the code sets token permissions. These may be incorrect as the specific logic to determine the permissions is not known.

Here is a test workflow

name: Job level env
on:
  pull_request:
    branches: [main]

jobs:
  Lint:
    env:
      GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
    runs-on: ubuntu-latest
    steps:
      
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
      - name: some step that uses token
        run: |
          npm ci

Metadata

Metadata

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions