Skip to content

GitHub Actions: Control permissions for GITHUB_TOKEN

GitHub Actions now lets you control the permissions granted to the GITHUB_TOKEN secret.

The GITHUB_TOKEN is an automatically generated secret that lets you make authenticated calls to the GitHub API in your workflow runs. Actions generates a new token for each job and expires the token when a job completes. The token has write permissions to a number of API endpoints except in the case of pull requests from forks which are always read. These new settings allow you to follow a principle of least privilege in your workflows.

Setting permissions in the workflow

A new permissions key supported at the workflow and job level enables you to specify which permissions you want for the token. Any permission that is absent from the list will be set to none.

  actions: read|write|none
  checks: read|write|none
  contents: read|write|none
  deployments: read|write|none
  issues: read|write|none
  packages: read|write|none
  pull-requests: read|write|none
  repository-projects: read|write|none
  security-events: read|write|none
  statuses: read|write|none

Pull requests from public forks are still considered a special case and will receive a read token regardless of these settings.

Setting the default permissions for the organization or repository

A new admin setting lets you set the default permissions for the token in your organization or repository.

You can choose between two options:

  • Read/write for all scopes (current default)
  • Read repo contents

Setting the default to contents:read is sufficient for any workflows that simply need to clone and build. If you need additional permissions you will need to specify those in your workflow yaml.


Learn more about setting the token permissions

For questions, visit the GitHub Actions community

To see what’s next for Actions, visit our public roadmap

In February 2020, to strengthen the security of our API, we deprecated API Authentication via Query Parameters and the OAuth Application API to avoid unintentional logging of in-transit access tokens. In the coming months, we'll be removing these endpoints and authentication flow according to the following schedule:

OAuth Application API

Please refer to this blog post on migrating to the replacement endpoints.


  • May 5, 2021: For 12 hours starting at 14:00 UTC
  • June 9, 2021: For 24 hours starting at 14:00 UTC


  • August 11 2021 at 14:00 UTC

Authentication via Query Parameters

Please refer to this blog post for authentication via headers.


  • May 5, 2021: For 12 hours starting at 14:00 UTC
  • June 9, 2021: For 24 hours starting at 14:00 UTC
  • August 11, 2021: For 48 hours starting at 14:00 UTC


  • September 8 2021 at 14:00 UTC

Please check the latest Enterprise release notes to learn in which version these functionalities will be removed.

See more