Fix Actions default workflow permissions (#33697)

Co-authored-by: Siara <108543037+SiaraMist@users.noreply.github.com>
2023-01-05 04:17:20 +09:00 · 2023-01-05 04:17:20 +09:00 · d183d92ffd
--- a/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md
+++ b/content/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise.md
@ -128,7 +128,7 @@ You can set the default permissions for the `GITHUB_TOKEN` in the settings for y

 ### Configuring the default `GITHUB_TOKEN` permissions

-{% ifversion allow-actions-to-approve-pr-with-ent-repo %}
+{% ifversion actions-default-workflow-permissions-restrictive %}
 By default, when you create a new enterprise, `GITHUB_TOKEN` only has read access for the `contents` scope.
 {% endif %}

@ -149,7 +149,9 @@ By default, when you create a new enterprise, `GITHUB_TOKEN` only has read acces

 {% data reusables.actions.workflow-pr-approval-permissions-intro %}

+{% ifversion actions-default-workflow-permissions-restrictive %}
 By default, when you create a new enterprise, workflows are not allowed to create or approve pull requests.
+{% endif %}

 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.policies-tab %}
--- a/content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md
+++ b/content/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization.md
@ -108,8 +108,8 @@ You can set the default permissions for the `GITHUB_TOKEN` in the settings for y

 ### Configuring the default `GITHUB_TOKEN` permissions

-{% ifversion allow-actions-to-approve-pr-with-ent-repo  %}
-By default, when you create a new organization, `GITHUB_TOKEN` only has read access for the `contents` scope.
+{% ifversion actions-default-workflow-permissions-restrictive %}
+By default, when you create a new organization,{% ifversion ghec or ghes or ghae %} the setting is inherited from what is configured in the enterprise settings.{% else %} `GITHUB_TOKEN` only has read access for the `contents` scope.{% endif %}
 {% endif %}

 {% data reusables.profile.access_profile %}
@ -159,7 +159,7 @@ By default, when you create a new organization, workflows are not allowed to {%

 ## Managing {% data variables.product.prodname_actions %} cache storage for your organization

-Organization administrators can view {% ifversion actions-cache-admin-ui %}and manage {% endif %}{% data variables.product.prodname_actions %} cache storage for all repositories in the organization. 
+Organization administrators can view {% ifversion actions-cache-admin-ui %}and manage {% endif %}{% data variables.product.prodname_actions %} cache storage for all repositories in the organization.

 ### Viewing {% data variables.product.prodname_actions %} cache storage by repository

--- a/content/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository.md
+++ b/content/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository.md
@ -111,7 +111,7 @@ The default permissions can also be configured in the organization settings. If

 ### Configuring the default `GITHUB_TOKEN` permissions

-{% ifversion allow-actions-to-approve-pr-with-ent-repo %}
+{% ifversion actions-default-workflow-permissions-restrictive %}
 By default, when you create a new repository in your personal account, `GITHUB_TOKEN` only has read access for the `contents` scope. If you create a new repository in an organization, the setting is inherited from what is configured in the organization settings.
 {% endif %}

@ -133,7 +133,9 @@ By default, when you create a new repository in your personal account, `GITHUB_T

 {% data reusables.actions.workflow-pr-approval-permissions-intro %}

+{% ifversion actions-default-workflow-permissions-restrictive %}
 By default, when you create a new repository in your personal account, workflows are not allowed to create or approve pull requests. If you create a new repository in an organization, the setting is inherited from what is configured in the organization settings.
+{% endif %}

 {% data reusables.repositories.navigate-to-repo %}
 {% data reusables.repositories.sidebar-settings %}
--- a/data/features/actions-default-workflow-permissions-restrictive.yml
+++ b/data/features/actions-default-workflow-permissions-restrictive.yml
@ -0,0 +1,7 @@
+# Reference: #9014.
+# Versioning for enterprise/organization/repository policy settings for workflow permissions granted to GTIHUB_TOKEN to be readonly by default and not allow GitHub Actions to create or approve pull requests.
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.9'
+  ghae: '>=3.9'