概览
You can use permissions to modify the default permissions granted to the GITHUB_TOKEN, adding or removing access as required, so that you only allow the minimum required access. 更多信息请参阅“工作流程中的身份验证。
您可以使用 permissions 作为顶级密钥,以应用于工作流程中的所有作业,或特定的作业。 当您在特定作业中添加 permissions 键时,该作业中的所有操作和运行命令使用 GITHUB_TOKEN 获取您指定的访问权限。 更多信息请参阅 jobs.<job_id>.permissions。
Available scopes and access values:
permissions:
actions: read|write|none
checks: read|write|none
contents: read|write|none
deployments: read|write|none
id-token: read|write|none
issues: read|write|none
discussions: read|write|none
packages: read|write|none
pages: read|write|none
pull-requests: read|write|none
repository-projects: read|write|none
security-events: read|write|none
statuses: read|write|none
If you specify the access for any of these scopes, all of those that are not specified are set to none.
You can use the following syntax to define read or write access for all of the available scopes:
permissions: read-all|write-all
You can use the following syntax to disable permissions for all of the available scopes:
permissions: {}
您可以使用 permissions 键来添加和删除复刻仓库的读取权限,但通常不能授予写入权限。 此行为的例外情况是,管理员在 GitHub Actions 设置中选择了 Send write tokens to workflows from pull requests(从拉取请求发送写入令牌到工作流程)选项。 更多信息请参阅“管理仓库的 GitHub Actions 设置”。
Example: Assigning permissions to GITHUB_TOKEN
此示例显示为将要应用到工作流程中所有作业的 GITHUB_TOKEN 设置的权限。 所有权限都被授予读取权限。
name: "My workflow"
on: [ push ]
permissions: read-all
jobs:
...
为特定作业分配权限
For a specific job, you can use jobs.<job_id>.permissions to modify the default permissions granted to the GITHUB_TOKEN, adding or removing access as required, so that you only allow the minimum required access. 更多信息请参阅“工作流程中的身份验证。
通过在工作定义中指定权限,您可以根据需要为每个作业的 GITHUB_TOKEN 配置一组不同的权限。 或者,您也可以为工作流程中的所有作业指定权限。 有关在工作流程级别定义权限的信息,请参阅 permissions。
Available scopes and access values:
permissions:
actions: read|write|none
checks: read|write|none
contents: read|write|none
deployments: read|write|none
id-token: read|write|none
issues: read|write|none
discussions: read|write|none
packages: read|write|none
pages: read|write|none
pull-requests: read|write|none
repository-projects: read|write|none
security-events: read|write|none
statuses: read|write|none
If you specify the access for any of these scopes, all of those that are not specified are set to none.
You can use the following syntax to define read or write access for all of the available scopes:
permissions: read-all|write-all
You can use the following syntax to disable permissions for all of the available scopes:
permissions: {}
您可以使用 permissions 键来添加和删除复刻仓库的读取权限,但通常不能授予写入权限。 此行为的例外情况是,管理员在 GitHub Actions 设置中选择了 Send write tokens to workflows from pull requests(从拉取请求发送写入令牌到工作流程)选项。 更多信息请参阅“管理仓库的 GitHub Actions 设置”。
Example: Setting permissions for a specific job
此示例显示为将要应用到作业 stale 的 GITHUB_TOKEN 设置的权限。 对于 issues 和 pull-requests 拉取请求,授予写入访问权限。 所有其他范围将没有访问权限。
jobs:
stale:
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
- uses: actions/stale@v5