What permissions are needed for Github Actions to create a tag and release for a Protected Tag?

Question

I was reading about protected tags and how they can be created on Github through the Settings tab of a particular repository.

I have a github actions workflow which:

1. Creates a new release
2. Since it creates a new release, it also creates a new tag
3. Uploads files and data to the release

Here is an example of my workflow, which has only some of the key parts.

name: myExample

on: 
  push:
    branches: [ master ]

permissions:
  contents: write

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v3
    - name: Set up Python 3.8.3
      uses: actions/setup-python@v3
      with:
        python-version: "3.8.3"

     ... Some Steps ...

    - name: Create Release
      id: create_release
      uses: actions/create-release@v1
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        tag_name: ${{env.VERSION}}
        release_name: ${{env.RELEASE_STRING}}
        draft: false
        prerelease: false

    - name: Upload Release Asset 1
      id: upload-release-asset-1
      uses: actions/upload-release-asset@v1
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        upload_url: ${{ steps.create_release.outputs.upload_url }}
        asset_path: ./test.zip
        asset_name: test.zip
        asset_content_type: application/zip

        ... Some Steps ...

I imagine I need to primarily focus on the section:

permissions:
  contents: write

What do I need to change so that this workflow can write protected tags and generally can work with protected tags?

Currently, my rule for protected tags is:

*

According to this article, it says "GitHub Apps require the Repository administration: write permission to modify a protected tag."

I looked at Github Actions permissions in this article, but I don't see those permissions.

I now thought I need to create a Personal Access Token and use it according to this article and this article. When creating a PAT, I didn't immediately see exactly what was described above with Repository administration: write. Perhaps if I'm an admin or maintainer of the repo, then if I create a PAT with full repo permissions then that would do it, since the token is associated with me who is admin and therefore, I can create a release on the protected branch as an admin. I haven't tested this yet, it is just a theory after searching around.

Answer 1

You can set the permissions at a job level so rather than grant the whole action, you set write and can limit to the job:

  version:
    permissions: write-all
    name: versioning
    runs-on: ubuntu-latest
    steps:
      - uses: actions/[email protected]
        with:
          fetch-depth: '0'
      - name: Bump version and push tag
        uses: anothrNick/[email protected]
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          DEFAULT_BUMP: patch
          WITH_V: "true"
    needs: [terraform, security]

Answer 2

In order to create a tag ref, you need the write permissions on contents & actions:

permissions:
  contents: write
  actions: write

And in order to work with artifact attestations (actions/upload-release-asset), you also need the attestations: write.

So in your case:

permissions:
  contents: write
  actions: write
  attestations: write

---

You can check the full list of permissions in the official doc: Assigning permissions to jobs.