Github App Permissions

[rsitro-chrono]

According to your doc it states the only permissions required are actions: read and secrets metadata: read. However when installing the app I see it actually is requesting:

"permissions": {
"actions": "read",
"secrets": "read",
"metadata": "read",
"organization_secrets": "read"
},

Any way I can limit this to only actions:read and metadata :read?

[varunsh-coder]

Hi @rsitro-chrono,

We discussed this over email, but also adding here since others might also have the same question.

"secrets": "read" and "organization_secrets": "read" only give access to the metadata about the secrets. It does not give access to the actual secret.

We use this to show secrets that have not been rotated for a long time.
https://docs.stepsecurity.io/review-github-actions-secrets/review-secrets

As you can see from this GitHub API documentation, it only returns the name of the secret, when it was created, and when it was last updated.
https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#list-repository-secrets

We have designed our App to not have access to customer code or secrets.