-
-
Notifications
You must be signed in to change notification settings - Fork 7
/
access-token.owner-template.yaml
132 lines (125 loc) · 6.39 KB
/
access-token.owner-template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
origin: __CHANGE_ME_TO_GITHUB_REPO_OWNER__/.github-access-token # e.g. qoomon/.github-access-token
# Configure which subjects are allowed to request an access token.
# allowed-subjects:
# - 'repo:ORIGIN_OWNER/*:**' # Default
#
# === Allowed Subject Pattern Wildcards ===
#
# '*' - match every character except ':'
# ':**' - match every following claim, can only be used at the end of a subject pattern
# Configuration which permissions are allowed to be managed by the repositories themselves
allowed-repository-permissions: # https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps
# === Repository permissions ===
#
# actions: read # read or write
# actions-variables: read # read or write
# administration: read # read or write - BE AWARE 'administration' scope can not be completely limited to a repository e.g. create new repositories is still possible
# checks: read # read or write
# codespaces: read # read or write
# codespaces-lifecycle-admin: read # read or write
# codespaces-metadata: read # read or write
# codespaces-secrets: read # write
# contents: read # read or write
# custom-properties: read # read or write
# dependabot-secrets: read # read or write
# deployments: read # read or write
# discussions: read # read or write
# environments: read # read or write
# issues: read # read or write
# merge-queues: read # read or write
# packages: read # read or write
# pages: read # read or write
# projects: read # read or write or admin
# pull-requests: read # read or write
# repository-advisories: read # read or write
# repository-hooks: read # read or write
# repository-projects: read # read or write or admin
# secret-scanning-alerts: read # read or write
# secrets: read # read or write
# security-events: read # read or write
# statuses: read # read or write
# team-discussions: read # read or write
# vulnerability-alerts: read # read or write
# workflows: write # only write
# Grant owner scoped permissions (owner permission or owner wide repository permissions)
# NOTE: Every statement will always implicitly grant `metadata: read` permission.
statements:
- subjects:
# === Subject Pattern examples ===
#
# grant access to jobs running on the main branch
# - repo:${origin}:ref:refs/heads/main
# grant access jobs running on any tag starting with a v
# - repo:${origin}:ref:refs/tags/v*
# grant access to jobs using production environment
# - repo:${origin}:environment:production
# grant access to jobs of a specific workflow file
# - repo:${origin}:workflow_ref:${origin}/.github/workflows/build.yml@refs/heads/main
# === Subject Pattern Variables and Wildcards ===
#
# ${origin} - resolves to the origin repository name e.g. qoomon/sandbox
# '*' - match every character except ':'
# ':**' - match every following claim, can only be used at the end of a subject pattern
# === GitHub Actions OIDC Token Subjects ===
#
# A GitHub Actions job will always have the following subjects
# The original OIDC token 'sub' claim e.g. repo:${origin}:ref:refs/heads/main or repo:${origin}:environment:production
# repo:${origin}:ref:<ref> e.g. repo:${origin}:ref:refs/heads/main
# repo:${origin}:environment:<environment> e.g. repo:${origin}:environment:production
# repo:${origin}:workflow_ref:<workflow_ref> e.g. repo:${origin}:workflow_ref:${origin}/.github/workflows/build.yml@refs/heads/main
# repo:${origin}:job_workflow_ref:<job_workflow_ref> e.g. repo:${origin}:job_workflow_ref:${origin}/.github/workflows/build.yml@refs/heads/main
permissions: # https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps
# === Organization permissions ===
# members: read # read or write
# organization-actions-variables: read # read or write
# organization-administration: read # read or write
# organization-announcement-banners: read # read or write
# organization-codespaces: read # read or write
# organization-codespaces-secrets: read # read or write
# organization-codespaces-settings: read # read or write
# organization-copilot-seat-management: read # read or write
# organization-custom-org-roles: read # read or write
# organization-custom-properties: read read # read or write or admin
# organization-custom-roles: read # read or write
# organization-dependabot-secrets: read # read or write
# organization-events: read # only read
# organization-hooks: read # read or write
# organization-personal-access-token-requests: read # read or write
# organization-personal-access-tokens: read # read or write
# organization-plan: read # only read
# organization-projects: read # read or write or admin
# organization-secrets: read # read or write
# organization-self-hosted-runners: read # read or write
# organization-user-blocking: read # read or write
# === Repository permissions ===
#
# actions: read # read or write
# actions-variables: read # read or write
# administration: read # read or write - BE AWARE 'administration' scope can not be completely limited to a repository e.g. create new repositories is still possible
# checks: read # read or write
# codespaces: read # read or write
# codespaces-lifecycle-admin: read # read or write
# codespaces-metadata: read # read or write
# codespaces-secrets: read # write
# contents: read # read or write
# custom-properties: read # read or write
# dependabot-secrets: read # read or write
# deployments: read # read or write
# discussions: read # read or write
# environments: read # read or write
# issues: read # read or write
# merge-queues: read # read or write
# packages: read # read or write
# pages: read # read or write
# projects: read # read or write or admin
# pull-requests: read # read or write
# repository-advisories: read # read or write
# repository-hooks: read # read or write
# repository-projects: read # read or write or admin
# secret-scanning-alerts: read # read or write
# secrets: read # read or write
# security-events: read # read or write
# statuses: read # read or write
# team-discussions: read # read or write
# vulnerability-alerts: read # read or write
# workflows: write # only write