Skip to content

Token Permissions

This is an exhaustive list of required permissions organized by features.

Important

The GITHUB_TOKEN environment variable should be supplied when running on a private repository. Otherwise the runner does not not have the privileges needed for the features mentioned here.

See also Authenticating with the GITHUB_TOKEN

File Changes

When using --files-changed-only or --lines-changed-only to get the list of file changes for a CI event, the following permissions are needed:

Push

For push events.

    permissions:
        contents: read

The contents permission is also needed to download files if the repository is not checked out before running cpp-linter.

Pull Request

For pull_request events.

    permissions:
        contents: read
        pull-requests: read

For pull requests, the contents permission is only needed to download files if the repository is not checked out before running cpp-linter.

Thread Comments

The --thread-comments feature requires the following permissions:

Push

For push events.

    permissions:
      metadata: read
      contents: write
  • The metadata permission is needed to fetch existing comments.
  • The contents permission is needed to post or update a commit comment. This also allows us to delete an outdated comment if needed.

Pull Request

For pull_request events.

    permissions:
      pull-requests: write

Pull Request Reviews

The tidy-review, format-review, and passive-reviews features require the following permissions:

    permissions:
      pull-requests: write