Skip to content

Document kosli_github_token secret and its required permission #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
gsavage merged 1 commit into from
May 26, 2026
Merged

Document kosli_github_token secret and its required permission #19

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,7 @@ under `terraform/<repo>/` in S3. This is used by `apply.yml`'s drift-plan housek
| Secret | Required | Description |
|---|---|---|
| `kosli_api_token` | if `kosli_template_file` is set | Kosli API token for the attest steps. |
| `kosli_github_token` | no (only `apply.yml`) | GitHub token used by `kosli attest pr github` to look up pull requests. When omitted, the pull-request attestation step is skipped. Typically passed as `${{ secrets.GITHUB_TOKEN }}` — in which case the **calling job must also declare `pull-requests: read`** in its `permissions:` block (see example below), otherwise the attestation step will fail with `Resource not accessible by integration`. |

### What it does

Expand Down Expand Up @@ -174,6 +175,7 @@ jobs:
permissions:
id-token: write
contents: write
pull-requests: read
uses: kosli-dev/tf/.github/workflows/apply.yml@main
strategy:
fail-fast: false
Expand All @@ -188,12 +190,20 @@ jobs:
kosli_template_file: kosli-apply-template.yml
secrets:
kosli_api_token: ${{ secrets.KOSLI_API_TOKEN }}
kosli_github_token: ${{ secrets.GITHUB_TOKEN }}
```

The `KOSLI_API_TOKEN` secret should be configured at the repository or organization level in
GitHub. If `kosli_template_file` is left empty, every Kosli step is skipped and the token is not
required.

The `pull-requests: read` permission and the `kosli_github_token` secret are both needed by the
`kosli attest pr github` step in `apply.yml`. They go together: GitHub computes the token's
permissions in a reusable workflow as the intersection of the caller job's `permissions:` and the
called job's `permissions:`, so both sides must grant `pull-requests: read` or the attestation
step fails with `Resource not accessible by integration`. Omit both if you don't need
pull-request attestation — the step is skipped when `kosli_github_token` is not passed.

[drift-doc]: https://github.com/kosli-dev/knowledge-base/blob/main/drift-detection.md

## Configuration
Expand Down