概览
You can use permissions
to modify the default permissions granted to the GITHUB_TOKEN
, adding or removing access as required, so that you only allow the minimum required access. 更多信息请参阅“工作流程中的身份验证。
您可以使用 permissions
作为顶级密钥,以应用于工作流程中的所有作业,或特定的作业。 当您在特定作业中添加 permissions
键时,该作业中的所有操作和运行命令使用 GITHUB_TOKEN
获取您指定的访问权限。 更多信息请参阅 jobs.<job_id>.permissions
。
Available scopes and access values:
permissions:
actions: read|write|none
checks: read|write|none
contents: read|write|none
deployments: read|write|none
id-token: read|write|none
issues: read|write|none
discussions: read|write|none
packages: read|write|none
pages: read|write|none
pull-requests: read|write|none
repository-projects: read|write|none
security-events: read|write|none
statuses: read|write|none
If you specify the access for any of these scopes, all of those that are not specified are set to none
.
You can use the following syntax to define read or write access for all of the available scopes:
permissions: read-all|write-all
You can use the following syntax to disable permissions for all of the available scopes:
permissions: {}
您可以使用 permissions
键来添加和删除复刻仓库的读取权限,但通常不能授予写入权限。 此行为的例外情况是,管理员在 GitHub Actions 设置中选择了 Send write tokens to workflows from pull requests(从拉取请求发送写入令牌到工作流程)选项。 更多信息请参阅“管理仓库的 GitHub Actions 设置”。
Example: Assigning permissions to GITHUB_TOKEN
此示例显示为将要应用到工作流程中所有作业的 GITHUB_TOKEN
设置的权限。 所有权限都被授予读取权限。
name: "My workflow"
on: [ push ]
permissions: read-all
jobs:
...
为特定作业分配权限
For a specific job, you can use jobs.<job_id>.permissions
to modify the default permissions granted to the GITHUB_TOKEN
, adding or removing access as required, so that you only allow the minimum required access. 更多信息请参阅“工作流程中的身份验证。
通过在工作定义中指定权限,您可以根据需要为每个作业的 GITHUB_TOKEN
配置一组不同的权限。 或者,您也可以为工作流程中的所有作业指定权限。 有关在工作流程级别定义权限的信息,请参阅 permissions
。
Available scopes and access values:
permissions:
actions: read|write|none
checks: read|write|none
contents: read|write|none
deployments: read|write|none
id-token: read|write|none
issues: read|write|none
discussions: read|write|none
packages: read|write|none
pages: read|write|none
pull-requests: read|write|none
repository-projects: read|write|none
security-events: read|write|none
statuses: read|write|none
If you specify the access for any of these scopes, all of those that are not specified are set to none
.
You can use the following syntax to define read or write access for all of the available scopes:
permissions: read-all|write-all
You can use the following syntax to disable permissions for all of the available scopes:
permissions: {}
您可以使用 permissions
键来添加和删除复刻仓库的读取权限,但通常不能授予写入权限。 此行为的例外情况是,管理员在 GitHub Actions 设置中选择了 Send write tokens to workflows from pull requests(从拉取请求发送写入令牌到工作流程)选项。 更多信息请参阅“管理仓库的 GitHub Actions 设置”。
Example: Setting permissions for a specific job
此示例显示为将要应用到作业 stale
的 GITHUB_TOKEN
设置的权限。 对于 issues
和 pull-requests
拉取请求,授予写入访问权限。 所有其他范围将没有访问权限。
jobs:
stale:
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
- uses: actions/stale@v5