Token Permissions

This is an exhaustive list of required permissions organized by features.

Important

The GITHUB_TOKEN environment variable should be supplied when running on a private repository. Otherwise the runner does not not have the privileges needed for the features mentioned here.

See also Authenticating with the GITHUB_TOKEN

File Changes

When using files-changed-only or lines-changed-only to get the list of file changes for a CI event, the following permissions are needed:

on: pushon: pull_request

For push events

    permissions:
      contents: read # (1)!

1. This permission is also needed to download files if the repository is not checked out before running cpp-linter.

For pull_request events

    permissions:
      contents: read # (1)!
      pull-requests: read # (2)!

1. For pull requests, this permission is only needed to download files if the repository is not checked out before running cpp-linter.

2. Specifying write is also sufficient as that is required for

   • posting thread comments on pull requests
   • posting pull request reviews

Thread Comments

The thread-comments feature requires the following permissions:

on: pushon: pull_request

For push events

    permissions:
      metadata: read # (1)!
      contents: write # (2)!

1. needed to fetch existing comments
2. needed to post or update a commit comment. This also allows us to delete an outdated comment if needed.

For pull_request events

    permissions:
      pull-requests: write

Pull Request Reviews

The tidy-review, format-review, and passive-reviews features require the following permissions:

    permissions:
      pull-requests: write