docs: improve github actions recipe on git plugin (#1626)

2020-09-06 19:38:29 +02:00 · 2020-09-06 19:38:29 +02:00 · 9635f50da6
commit 9635f50da6
parent d036a899d5
1 changed files with 10 additions and 0 deletions
--- a/docs/recipes/github-actions.md
+++ b/docs/recipes/github-actions.md
@ -50,6 +50,16 @@ To keep `package.json` updated in the `master` branch, [`@semantic-release/git`]

 **Note**: Automatically populated `GITHUB_TOKEN` cannot be used if branch protection is enabled for the target branch. It is **not** advised to mitigate this limitation by overriding an automatically populated `GITHUB_TOKEN` variable with a [Personal Access Tokens](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line), as it poses a security risk. Since Secret Variables are available for Workflows triggered by any branch, it becomes a potential vector of attack, where a Workflow triggered from a non-protected branch can expose and use a token with elevated permissions, yielding branch protection insignificant. One can use Personal Access Tokens in trusted environments, where all developers should have the ability to perform administrative actions in the given repository and branch protection is enabled solely for convenience purposes, to remind about required reviews or CI checks.

+If the risk is acceptible, some extra configuration is needed. The [actions/checkout `persist-credentials`](https://github.com/marketplace/actions/checkout#usage) option needs to be `false`, otherwise the generated `GITHUB_TOKEN` will interfere with the custom one. Example:
+
+```yaml
+- name: Checkout
+    uses: actions/checkout@v2
+    with:
+      fetch-depth: 0
+      persist-credentials: false # <--- this
+```
+
 ## Trigger semantic-release on demand

 ### Using GUI: