actions
Runners do not log the `id-token` permission
Disclaimer
Please point me elsewhere if this isn't the right place to raise this. It seems like the runner only dumps a map it gets from the job context but I couldn't find where system.github.token.permissions is managed.
Describe the bug
When a workflow sets the id-token permission the logs do not include it when reporting what permissions the GITHUB_TOKEN had. This is undesirable from a security and auditing perspective.
Related, but less important: the ~~Attestations~~ [edit: it looks like this was released yesterday] and Discussions permissions which are logged do not appear to be documented.
To Reproduce Add the below permissions block to a workflow (e.g. a simple example)
permissions:
id-token: write
and check the logs of the workflow run to see that the permissions are reported as
GITHUB_TOKEN Permissions
Metadata: read
Expected behavior The logs would include (for instance)
GITHUB_TOKEN Permissions
IdToken: write
Metadata: read
Runner Version and Platform
This was tested on self-hosted runners in an EMU instance and on GitHub runners in a public repository. The reported version from the public repository are
Current runner version: '2.316.0'
Operating System
Ubuntu
[2](https://github.com/TapdancingRodent/stunning-octo-potato/actions/runs/8894662891/job/24423388853#step:1:2)2.04.4
LTS
Runner Image
Image: ubuntu-22.04
Version: 20240422.1.0
Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20240422.1/images/ubuntu/Ubuntu2204-Readme.md
Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20240422.1
Runner Image Provisioner
2.0.[3](https://github.com/TapdancingRodent/stunning-octo-potato/actions/runs/8894662891/job/24423388853#step:1:3)69.1
What's not working?
See report body above
Job Log Output
See report body above
Runner and Worker's Diagnostic Logs
N/A
