Token Permissions¶

This is an exhaustive list of required permissions organized by features.

File Changes¶

When using --files-changed-only or --lines-changed-only to get the list of file changes for a CI event, the following permissions are needed:

on: push on: pull_request

permissions:
  contents: read # (1)!

This permission is also needed to download files if the repository is not checked out before running cpp-linter.

permissions:
  contents: read # (1)!
  pull-requests: read # (2)!

This permission is also needed to download files if the repository is not checked out before running cpp-linter.
Specifying write is also sufficient as that is required for
- posting thread comments on pull requests
- posting pull request reviews

The --thread-comments feature requires the following permissions:

on: push on: pull_request

permissions:
  metadata: read # (1)!
  contents: write # (2)!

needed to fetch existing comments
needed to post or update a commit comment. This also allows us to delete an outdated comment if needed.

permissions:
  pull-requests: write

The --tidy-review, --format-review, and --passive-reviews features require the following permissions:

permissions:
  pull-requests: write