What scopes are needed for a GITHUB_TOKEN to write secrets to a repository?

[TSNoble]

Hi,

I'm trying to get a github runner to update a secret in a github workflow, but I can't figure out what scopes it needs to do so. I've tried searching online, and the API docs and general results all make reference to using PATs, which I want to avoid as tying runner credentials to my personal user seems like a bad practice.

I think this page would greatly benefit from a list of API endpoint groups that are accessible for each scope (or the API docs could be updated to include required GITHUB_TOKEN scopes). This isn't the first time the difference in scopes between PATs and GITHUB_TOKEN have caused issues and I feel that scopes such as "checks" and "contents" don't help much in the way of determining what I'm granting access to.

Any help would be appreciated.

[TSNoble]

Bumping as this is still an issue

[joshmgross]

Under "Permissions for the GITHUB_TOKEN" there's a link to https://docs.github.com/en/rest/overview/permissions-required-for-github-apps which includes each API endpoint and the permissions required.

The secrets API requires the secrets permission, which is not available in an Actions workflow via the GITHUB_TOKEN.

https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-secrets

[rr-tom-noble]

Fixed by using a GitHub App and obtaining a token. For those wondering, the steps are as follows:

• Create new GitHub App
• Set permissions (in this case secrets: read and write)
• Install the App into the relevant Repositories (has a similar effect to a fine-scoped PAT)
• Generate a private key for the App
• Store the App ID and private key as Secrets in the Repository wishing to use the token
• Use the Create Github App Token action in a workflow to generate a token
• Any PAT usage can be replaced with this token