Manage access from GitHub actions workflows by providing temporary app access tokens to repository resources.
- This GitHub action will request an access token for a Granting Repository from the App Server, authorize by the GitHub Action ID Token (JWT signed by GitHub).
- The App Server requests a GitHub App Installation Token to read
.github/access.yamlfile in Granting Repository. - The App Server reads
.github/access.yamlfile from Granting Repository and determine which permissions should be granted to Requesting Repository, authorized by the GitHub App Installation Token from step2.. - The App Server requests a GitHub App Installation Token with granted permissions for Source Directory and send it back in response to this GitHub action from step
1.. - This GitHub action sets the token as environment variable
$GITHUB_ACCESS_MANAGER_TOKENand as step output${{ steps.access-manager.outputs.GITHUB_ACCESS_MANAGER_TOKEN }}. - Further steps can then utilize this token to access resources of the Granting Repository.
- Create
.github/access.yamlfile - Set
selfto enclosing repository.- This ensures no unintended access in case you fork a repository with
.github/access.yamlfile.
- This ensures no unintended access in case you fork a repository with
- Add
policiesand permissions, see examples below.repositoryvalue supports wildcards*e.g.repository: octa-org/*- ⚠
metadata: readpermission is implicitly always granted.
- Self access to trigger workflows from another workflow
self: qoomon/example policies: - repository: self permissions: actions: write
- Grant read access to GitHub Packages for an explicit repository
self: qoomon/example policies: - repository: qoomon/sandbox permissions: packages: read
- Grant read access to GitHub Packages for an entire organization
self: qoomon/example policies: - repository: octa-org/* permissions: packages: read
- Clone a remote repository
on: # ... permissions: id-token: write # required to request id-token jobs: build: runs-on: ubuntu-latest steps: - name: Request access token uses: qoomon/github-actions-access-manager@v2 with: repositories: | qoomon/sandbox permissions: | contents:read - name: Clone remote repository run: | git config --global credential.helper store git clone https://_:[email protected]/qoomon/sandbox.git # ...
- Trigger another workflow within the repository
on: # ... permissions: id-token: write # required to request id-token jobs: build: runs-on: ubuntu-latest steps: - name: Request access token id: access-manager uses: qoomon/github-actions-access-manager@v2 with: repositories: self permissions: actions:write - name: Trigger workflow run: | gh workflow run post_deploy_checks.yml \ --ref my-branch \ --field logLevel=debug env: GITHUB_TOKEN: ${{steps.access-manager.outputs.GITHUB_ACCESS_MANAGER_TOKEN}} # ...
- Create a new User App or a new Organizations App
- Fill out mandatory fields
- Deactivate Webhook
- Choose
Repository permissionsyou want to manage or see following suggestions- Actions:
Read and write - Contents:
Read-only - Packages:
Read-only
- Actions:
- Add Mandatory
Repository permissions- Single file:
Read-only- Add file path
.github/access.yaml
- Add file path
- Single file:
- Go to User App Settings or Organizations App Settings
- Click on
Editof your App - Click on
Install App - Choose an account to install your app to
- Fork this repository
- Create Vercel App of your fork
- set root directory to
server/ - set following environment variables. Copy values from User App Details or from Organizations App Details
GITHUB_APP_IDGITHUB_APP_PRIVATE_KEY
- set root directory to
- change default
endpointin github action action.yaml to your vercel app url. - Use your fork as GitHub action to request a access token,
- Start Server
npm --prefix server/ start
- Run GitHub Action
export NODE_ENV=development export ACTIONS_ACCESS_MANAGER_ENDPOINT=http://localhost:3000/v2/access_token export ACTIONS_ID_TOKEN=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImVCWl9jbjNzWFlBZDBjaDRUSEJLSElnT3dPRSIsImtpZCI6Ijc4MTY3RjcyN0RFQzVEODAxREQxQzg3ODRDNzA0QTFDODgwRUMwRTEifQ.eyJqdGkiOiJjOTAzODNiMC01YTVjLTQ2YTMtODUxZi0wYzQwMDRiMWRkYmUiLCJzdWIiOiJyZXBvOnFvb21vbi9naXRodWItYWN0aW9ucy1hY2Nlc3MtbWFuYWdlcjpyZWY6cmVmcy9oZWFkcy9tYWluIiwiYXVkIjoiaHR0cHM6Ly9naXRodWIuY29tL3Fvb21vbiIsInJlZiI6InJlZnMvaGVhZHMvbWFpbiIsInNoYSI6ImE5Yzk1NDYyM2RkYWE5NTVhMmE3ZjJlYjViYWQ5MjJhNDAzZjAwYzgiLCJyZXBvc2l0b3J5IjoicW9vbW9uL2dpdGh1Yi1hY3Rpb25zLWFjY2Vzcy1tYW5hZ2VyIiwicmVwb3NpdG9yeV9vd25lciI6InFvb21vbiIsInJlcG9zaXRvcnlfb3duZXJfaWQiOiIzOTYzMzk0IiwicnVuX2lkIjoiMzI5MjgxMzc4NCIsInJ1bl9udW1iZXIiOiIxIiwicnVuX2F0dGVtcHQiOiIxIiwicmVwb3NpdG9yeV92aXNpYmlsaXR5IjoicHVibGljIiwicmVwb3NpdG9yeV9pZCI6IjUyMjkyNDUzMSIsImFjdG9yX2lkIjoiMzk2MzM5NCIsImFjdG9yIjoicW9vbW9uIiwid29ya2Zsb3ciOiIuZ2l0aHViL3dvcmtmbG93cy90b2tlbi55YW1sIiwiaGVhZF9yZWYiOiIiLCJiYXNlX3JlZiI6IiIsImV2ZW50X25hbWUiOiJ3b3JrZmxvd19kaXNwYXRjaCIsInJlZl90eXBlIjoiYnJhbmNoIiwiam9iX3dvcmtmbG93X3JlZiI6InFvb21vbi9naXRodWItYWN0aW9ucy1hY2Nlc3MtbWFuYWdlci8uZ2l0aHViL3dvcmtmbG93cy90b2tlbi55YW1sQHJlZnMvaGVhZHMvbWFpbiIsImlzcyI6Imh0dHBzOi8vdG9rZW4uYWN0aW9ucy5naXRodWJ1c2VyY29udGVudC5jb20iLCJuYmYiOjE2NjYyOTgxNjEsImV4cCI6MTY2NjI5OTA2MSwiaWF0IjoxNjY2Mjk4NzYxfQ.37dPzBp031doaTq1alL4s1vpn7ODAX8ks2_cPbloJd-Scaf9fbkdZjYON0Ogm0Gu3yURvSusFVbej22KwHYdTmxQh-NyudXpmqTnTI7RY-9ouiEScY0-D9mc7oUI8INb7phwUOdzOECb48HbPNA04MVwJ2YGQwyWBIXixScMMv3Au3g22NK6Kc_-MPXuSCbBzj2ZLyn2g57BMGs_OveFZy0uRzv5YuzS-QdjBgpesWuJrLgE4DPk3YTkpaLC0rTWo4feNUa53TZStrOREODO-TcWgIAkUJBcNoE3vhJJkBn2NFeovxzW5yj_sO3Kq4E24XYtUrXR52z_34yz9hzdsQ INPUT_REPOSITORIES=qoomon/github-actions-access-manager \ INPUT_PERMISSIONS=contents:read \ node index.js
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent
