Merge pull request #52062 from github/repo-sync

Repo sync
github · Aug 20, 2024 · 7c4e3ec · 7c4e3ec
2 parents 95cb45c + 2f12ab5
commit 7c4e3ec
Show file tree

Hide file tree

Showing 8 changed files with 8 additions and 8 deletions.
diff --git a/...s/security-for-github-actions/security-guides/automatic-token-authentication.md b/...s/security-for-github-actions/security-guides/automatic-token-authentication.md
@@ -91,7 +91,7 @@ The following table shows the permissions granted to the `GITHUB_TOKEN` by defau
 | deployments   | read/write  | none | read |
 | discussions   | read/write  | none | read |
 | {% ifversion fpt or ghec %} |
-| id-token      | none        | none | read |
+| id-token      | none        | none | none |
 | {% endif %} |
 | issues        | read/write  | none | read |
 | metadata      | read        | read | read |

diff --git a/...hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md b/...hardening-your-deployments/configuring-openid-connect-in-amazon-web-services.md
@@ -118,7 +118,7 @@ To update your workflows for OIDC, you will need to make two changes to your YAM
 
 ### Adding permissions settings
 
- {% data reusables.actions.oidc-permissions-token %}
+{% data reusables.actions.oidc-permissions-token %}
 
 ### Requesting the access token
 

diff --git a/...ions/security-hardening-your-deployments/configuring-openid-connect-in-azure.md b/...ions/security-hardening-your-deployments/configuring-openid-connect-in-azure.md
@@ -66,7 +66,7 @@ To update your workflows for OIDC, you will need to make two changes to your YAM
 
 ### Adding permissions settings
 
- {% data reusables.actions.oidc-permissions-token %}
+{% data reusables.actions.oidc-permissions-token %}
 
 ### Requesting the access token
 

diff --git a/...ity-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md b/...ity-hardening-your-deployments/configuring-openid-connect-in-cloud-providers.md
@@ -39,7 +39,7 @@ If your cloud provider doesn't yet offer an official action, you can update your
 
 ### Adding permissions settings
 
- {% data reusables.actions.oidc-permissions-token %}
+{% data reusables.actions.oidc-permissions-token %}
 
 ### Using official actions
 

diff --git a/...rdening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md b/...rdening-your-deployments/configuring-openid-connect-in-google-cloud-platform.md
@@ -51,7 +51,7 @@ To update your workflows for OIDC, you will need to make two changes to your YAM
 
 ### Adding permissions settings
 
- {% data reusables.actions.oidc-permissions-token %}
+{% data reusables.actions.oidc-permissions-token %}
 
 ### Requesting the access token
 

diff --git a/data/reusables/actions/github-token-available-permissions.md b/data/reusables/actions/github-token-available-permissions.md
@@ -7,7 +7,7 @@ permissions:
   checks: read|write|none
   contents: read|write|none
   deployments: read|write|none{% ifversion fpt or ghec %}
-  id-token: read|write|none{% endif %}
+  id-token: write|none{% endif %}
   issues: read|write|none
   discussions: read|write|none
   packages: read|write|none

diff --git a/data/reusables/actions/github-token-scope-descriptions.md b/data/reusables/actions/github-token-scope-descriptions.md
@@ -1,4 +1,4 @@
-For each of the available permissions, shown in the table below, you can assign one of the access levels: `read`, `write`, or `none`. `write` includes `read`. If you specify the access for any of these permissions, all of those that are not specified are set to `none`.
+For each of the available permissions, shown in the table below, you can assign one of the access levels: `read` (if applicable), `write`, or `none`. `write` includes `read`. If you specify the access for any of these permissions, all of those that are not specified are set to `none`.
 
 Available permissions and details of what each allows an action to do:
 

diff --git a/data/reusables/actions/oidc-permissions-token.md b/data/reusables/actions/oidc-permissions-token.md
@@ -1,4 +1,4 @@
-The job or workflow run requires a `permissions` setting with [`id-token: write`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token). You won't be able to request the OIDC JWT ID token if the `permissions` setting for `id-token` is set to `read` or `none`.
+The job or workflow run requires a `permissions` setting with [`id-token: write`](/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) to allow {% data variables.product.prodname_dotcom %}'s OIDC provider to create a JSON Web Token for every run. You won't be able to request the OIDC JWT ID token if the `permissions` for `id-token` is not set to `write`, however this value doesn't imply granting write access to any resources, only being able to fetch and set the OIDC token for an action or step to enable authenticating with a short-lived access token. Any actual trust setting is defined using OIDC claims, for more information see "[AUTOTITLE](/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect#configuring-the-oidc-trust-with-the-cloud)."
 
 The `id-token: write` setting allows the JWT to be requested from {% data variables.product.prodname_dotcom %}'s OIDC provider using one of these approaches: