What pemission scopes does the action need for the generated `GITHUB_TOKEN`?

Hello there, hope everything is fine

I was wondering which permission scopes should I grant for the PAT (personal access token) of changesets action.
Below is the list of permission scopes available for PATs, I have some ambiguity to choose some of them.

And there's also some problem with this approach of giving PAT as github_token to the action, since the PAT gives access to all repos and you can't limit the scope.
Isn't there any better approach for that?

[Andarist]

Quite frankly - I'm not entirely sure. Those permissions are always confusing to me. Especially since they don't correspond 1 to 1 to the permissions for the workflow jobs.

What we need is:

• fetch the content of the repository
• push to the repository
• search through PRs
• create PRs
• create GitHub releases

This would be definitely useful information to have in the docs but it requires some experimentation to figure out which minimal combination of those scopes would allow the action to function properly.

And there's also some problem with this approach of giving PAT as github_token to the action, since the PAT gives access to all repos and you can't limit the scope.

You can create a new "bot"-like account, limit its access to a particular repo and generate PAT for that account.

[frangio]

You can find the required permissions by looking up the REST endpoints in Permissions required for fine-grained personal access tokens.

Edit: Hm, these don't look like the ones in the screenshot. But see section below.

---

And there's also some problem with this approach of giving PAT as github_token to the action, since the PAT gives access to all repos and you can't limit the scope.
Isn't there any better approach for that?

You should look into Fine-grained PATs. You can scope them by repository.

[ernestognw]

What we need is:

• fetch the content of the repository
• push to the repository
• search through PRs
• create PRs
• create GitHub releases

To summarize, the permissions required are:

• Contents (read/write): Covers fetch content of the repository, push commits and create releases
• Pull Request (read/write): Covers create and write PRs

If you don't publish using Changesets, Releases is not required although it falls inside of the Contents category

[dstaley]

For anyone thinking of using fine-grained tokens, be aware that they don't currently support the GraphQL API, which is required for @changesets/changelog-github:

Personal access tokens with fine grained access do not support the GraphQL API

[Andarist]

I'm using those in XState and it works fine (but I don't use the GraphQL API there):
https://github.com/statelyai/xstate/blob/aad4991b4eb04faf979a0c8a027a5bcf861f34b3/.github/workflows/release.yml#L13-L16

I'd appreciate it if somebody could prepare a PR documenting this.

[dstaley]

@Andarist ah sorry! I'm so used to the GitHub changelogs that I forgot it's not the default configuration. I've edited my comment to be more accurate. Thanks for the clarification!

[kenneth-gray]

What we need is:

• fetch the content of the repository
• push to the repository
• search through PRs
• create PRs
• create GitHub releases

To summarize, the permissions required are:

• Contents (read/write): Covers fetch content of the repository, push commits and create releases
• Pull Request (read/write): Covers create and write PRs

If you don't publish using Changesets, Releases is not required although it falls inside of the Contents category

@ernestognw Is this using the fine-grained tokens? I haven't been able to get this to work with just those 2 read/write permissions.

[kenneth-gray]

I can confirm that these permissions work as expected. I struggled to get the token recognised. As seen in some other issues, adding the PAT token as part of the GitHub checkout action solved my problem.

[nyonson]

@kenneth-gray did you get this working by not using the changeset version? I still get Personal access tokens with fine grained access do not support the GraphQL API even with the PAT using those permissions and set on both the checkout action and changeset action.