github
Misleading wording regarding permissions and access to secrets
Code of Conduct
- [X] I have read and agree to the GitHub Docs project's Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/security-guides/encrypted-secrets
https://github.com/github/docs/blob/main/data/reusables/actions/permissions-statement-secrets-variables-repository.md
What part(s) of the article would you like to see updated?
There's a mismatch between the UI and the API regarding permissions and access rights to secrets.
As stated in https://github.com/github/vscode-github-actions/issues/62 and in https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#about-secrets-in-github-actions authenticated users with collaborator access, can update, create and delete repository secrets through the API. This feature is not available in the UI, since Secrets and variables exist in the Settings tab, which requires admin access.
The docs should reflect this mismatch. I suggest making a distinction between the UI and the API regarding the aforementioned permissions.
Change^1:
To create secrets or variables for an organization repository, you must have
adminaccess.
to:
To create secrets or variables for an organization repository, through the GitHub REST API^2, you must have
collaboratoraccess. To create secrets or variables for an organization repository, through GitHub.com, you must haveadminaccess.
Additional information
No response
Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.
![welcome[bot] avatar](https://avatars.githubusercontent.com/in/4141?v=4 "Published by a pub.dev verified publisher"){kind=small}
@gmargaritis Thanks so much for opening an issue! We appreciate the links and extra context! ✨
I'll triage this for the team to take a look :eyes:
👋🏼 Hi @gmargaritis, thanks for opening this issue and providing context! ✨ Clarifying this information makes sense to me 👍🏼 I've added the "help wanted" label. For whoever picks this work up, we should make the following changes:
Change #1
The note in "Encrypted secrets" should be changed from
You can use the REST API to manage secrets. For more information, see "[AUTOTITLE](/rest/actions#secrets)."
to
Users with collaborator access to a repository can use the REST API to manage secrets for that repository, and users with admin access to an organization can use the REST API to manage secrets for that organization. For more information, see "[AUTOTITLE](/rest/actions#secrets)."`
Change #2
The permissions-statement-secrets-variables-repository.md reusable should be changed from
To create secrets {% ifversion actions-configuration-variables %}or variables {% endif %}for a personal account repository, you must be the repository owner. To create secrets {% ifversion actions-configuration-variables %}or variables {% endif %}for an organization repository, you must have `admin` access.
to
To create secrets {% ifversion actions-configuration-variables %}or variables {% endif %}on {% data variables.product.prodname_dotcom %} for a personal account repository, you must be the repository owner. To create secrets {% ifversion actions-configuration-variables %}or variables {% endif %}on {% data variables.product.prodname_dotcom %} for an organization repository, you must have `admin` access. Lastly, to create secrets {% ifversion actions-configuration-variables %}or variables {% endif %}for a personal account repository or an organization repository through the REST API, you must have collaborator access.
Thanks again for your help maintaining our docs!
@sabrowning1 Your suggestions make sense 🚀
I can open up a pull request for this one!