Restricted Permissions

Included in v0.0.20

GitHub introduced permissions for GITHUB_TOKEN which enables one to restrict tokens to just the necessary permissions.

check-spelling has a couple of distinct phases that have differing requirements.

It's better from a security perspective to use "least privilege".

Requirements by phase

checking

• contents: read -- to read the repository (to check it out) -- for a pull_request_target, this may include untrusted content (the merge)
• pull-requests: read -- to determine if this push event should be skipped in favor of a related pull_request_target event.

commenting

• contents: write -- if it's commenting on a commit (i.e. on: push)
• pull-requests: write -- if it's commenting on a PR (i.e. on: pull_request_target)

updating branches

• contents: write -- to write new commits
• pull-requests: write -- to collapse existing comments and write a new comment

Workflow

• https://raw.githubusercontent.com/check-spelling/spell-check-this/main/.github/workflows/spelling.yml defines a workflow that is compatible with these requirements

---

FAQ | Showcase | Event descriptions | Configuration information | Known Issues | Possible features | Deprecations | Release notes | Helpful scripts