Unify token description for resolve-environment, start-proxy, and upload-sarif
#2780
Conversation
token description for resolve-environment, start-proxy, and upload-sarif`token description for resolve-environment, start-proxy, and upload-sarif
There was a problem hiding this comment.
PR Overview
This pull request unifies the description of the GitHub token input for the resolve-environment and start-proxy actions to match the comprehensive description used in upload-sarif.
- Updated start-proxy/action.yml with an enhanced token description
- Updated resolve-environment/action.yml with a consistent token description
Reviewed Changes
| File | Description |
|---|---|
| start-proxy/action.yml | Updated token description to include built-in token details. |
| resolve-environment/action.yml | Revised token description for consistency with upload-sarif. |
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
Tip: Copilot code review supports C#, Go, Java, JavaScript, Markdown, Python, Ruby and TypeScript, with more languages coming soon. Learn more
start-proxy/action.yml
Outdated
| @@ -10,7 +10,7 @@ inputs: | |||
| description: Base64 encoded JSON configuration for the URLs and credentials of the package registries | |||
| required: false | |||
| token: | |||
| description: GitHub token to use for authenticating with this instance of GitHub, used to upload debug artifacts. | |||
| description: GitHub token to use for authenticating with this instance of GitHub. The token must be the built-in GitHub Actions token, and the workflow must have the `security-events: write` permission. Most of the time it is advisable to avoid specifying this input so that the workflow falls back to using the default value. | |||
There was a problem hiding this comment.
@marcogario could you confirm whether the token for start-proxy actually needs the security: write permission? If it's simply used for debug artifacts, I was thinking that it may only need actions: write.
There was a problem hiding this comment.
I saw the comment below from Andrew and I agree.
…d `upload-sarif`
e75e74f to
03c921e
Compare
| @@ -10,7 +10,7 @@ inputs: | |||
| description: Base64 encoded JSON configuration for the URLs and credentials of the package registries | |||
| required: false | |||
| token: | |||
| description: GitHub token to use for authenticating with this instance of GitHub, used to upload debug artifacts. | |||
| description: "GitHub token to use for authenticating with this instance of GitHub. The token must be the built-in GitHub Actions token, and the workflow must have the `security-events: write` permission. Most of the time it is advisable to avoid specifying this input so that the workflow falls back to using the default value." | |||
There was a problem hiding this comment.
Technically, security-events: write is not required for this action, but since this action is only ever used with the analyze action which does require the permission, I think it' fine to keep.
Partially fixes https://github.com/github/codeql-action/security/code-scanning/1050. The
upload-sariftoken description is the most comprehensive so I've used it forresolve-environmentandstart-proxy.Merge / deployment checklist