I'm trying to add a CD deployment step to our Github Action. As part of that, I need a Github access token that has the ability to check if the user that submitted the PR is a member of a particular team.
GITHUB_TOKEN seems to the mechanism for getting that in a Github Action but it does not seem to have permission to access this API or isn't impersonating the user as when I use it in an action to try to test this approach:
- name: Check team membership
run: |
curl \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
https://api.github.com/orgs/fabriq-cloud/teams/fabriq/members
I get a 404:
{
"message": "Not Found",
"documentation_url": "https://docs.github.com/rest/reference/teams#list-team-members"
}
while locally with an PAT for the same user this returns the list of members of the team.
Is there a way to get an GITHUB_TOKEN that can has the ability to impersonate the user submitting the PR with a narrow scope to check if that user is the member of a team?
CodePudding user response:
The GITHUB_TOKEN secret is basically a GitHub App installation access token and its permissions are limited to the repository that contains your workflow since the App has access to a single repo.
Try to generate a separate token (selecting the read:org scope), set up it as an Actions Secret for your repo, and then use this new secret for accessing the Teams API in your Workflow.
read:org scope: Read-only access to organization membership, organization projects, and team membership.
Additional references: