Outdated links related to GITHUB_TOKEN tutorial

[thatrobotdev]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

Any article that links to /actions/security-guides/automatic-token-authentication#permissions-for-the-github_token including:

• https://docs.github.com/en/actions/concepts/security/compromised-runners#accessing-secrets

  However, these permissions differ for various event triggers such as issue_comment, issues, push and pull_request from a branch within the repository, where the attacker could attempt to steal repository secrets or use the write permission of the job's GITHUB_TOKEN.

• https://docs.github.com/en/actions/concepts/security/compromised-runners#modifying-the-contents-of-a-repository

  The attacker server can use the GitHub API to modify repository content, including releases, if the assigned permissions of GITHUB_TOKEN are not restricted.

• https://docs.github.com/en/actions/reference/security/secure-use#use-secrets-for-sensitive-information

  It's good security practice to set the default permission for the GITHUB_TOKEN to read access only for repository contents. The permissions can then be increased, as required, for individual jobs within the workflow file. For more information, see Use GITHUB_TOKEN for authentication in workflows.

• https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/scopes-for-oauth-apps#available-scopes

  Workflow files can expose GITHUB_TOKEN which may have a different set of scopes. For more information, see Use GITHUB_TOKEN for authentication in workflows.

• https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-authentication-to-github#authenticating-to-the-api-in-a-github-actions-workflow

  If you need to make changes to resources outside of the workflow repository, you will need to use a personal access token or GitHub App.

  For more information, see Use GITHUB_TOKEN for authentication in workflows.

• https://docs.github.com/en/rest/authentication/authenticating-to-the-rest-api#authenticating-in-a-github-actions-workflow

  You can grant permissions to the GITHUB_TOKEN with the permissions key. For more information, see Use GITHUB_TOKEN for authentication in workflows.

• https://docs.github.com/en/rest/authentication/keeping-your-api-credentials-secure#limit-the-permissions-of-your-credentials

  When authenticating with GITHUB_TOKEN in a GitHub Actions workflow, only give the minimum amount of permissions needed. For more information, see Use GITHUB_TOKEN for authentication in workflows.

• https://docs.github.com/en/rest/guides/scripting-with-the-rest-api-and-javascript#authenticating-in-github-actions

  For more information about GITHUB_TOKEN, see Use GITHUB_TOKEN for authentication in workflows.

• https://docs.github.com/en/rest/guides/scripting-with-the-rest-api-and-ruby#authenticating-in-github-actions

  For more information about GITHUB_TOKEN, see Use GITHUB_TOKEN for authentication in workflows.

and the following reusables:

• docs/data/reusables/actions/jobs/section-assigning-permissions-to-jobs.md

  Line 1 in 5b8a8c9

  You can use `permissions` to modify the default permissions granted to the `GITHUB_TOKEN`, adding or removing access as required, so that you only allow the minimum required access. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).

  used on https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#permissions

• docs/data/reusables/actions/jobs/section-assigning-permissions-to-jobs-specific.md

  Line 1 in 5b8a8c9

  For a specific job, you can use `jobs.<job_id>.permissions` to modify the default permissions granted to the `GITHUB_TOKEN`, adding or removing access as required, so that you only allow the minimum required access. For more information, see [AUTOTITLE](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).

  used on https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idpermissions

• docs/data/reusables/actions/oidc-permissions-token.md

  Line 1 in 5b8a8c9

  The job or workflow run requires a `permissions` setting with [`id-token: write`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) to allow {% data variables.product.github %}'s OIDC provider to create a JSON Web Token for every run.

  used on
  • https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws#adding-permissions-settings
  • https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-azure#adding-permissions-settings
  • https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-google-cloud-platform#adding-permissions-settings
  • https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-hashicorp-vault#adding-permissions-settings
  • https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-octopus-deploy#adding-permissions-settings
  • https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-cloud-providers#adding-permissions-settings

What part(s) of the article would you like to see updated?

Links to /actions/security-guides/automatic-token-authentication#permissions-for-the-github_token should be updated to #modifying-the-permissions-for-the-github_token or a more relevant page when suitable, as the anchor no longer exists.

Additional information

No response

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.