GitHub Actions now lets you control the permissions granted to the
GITHUB_TOKEN is an automatically generated secret that lets you make authenticated calls to the GitHub API in your workflow runs. Actions generates a new token for each job and expires the token when a job completes. The token has
write permissions to a number of API endpoints except in the case of pull requests from forks which are always
read. These new settings allow you to follow a principle of least privilege in your workflows.
Setting permissions in the workflow
permissions key supported at the workflow and job level enables you to specify which permissions you want for the token. Any permission that is absent from the list will be set to
permissions: actions: read|write|none checks: read|write|none contents: read|write|none deployments: read|write|none issues: read|write|none packages: read|write|none pull-requests: read|write|none repository-projects: read|write|none security-events: read|write|none statuses: read|write|none
Pull requests from public forks are still considered a special case and will receive a read token regardless of these settings.
Setting the default permissions for the organization or repository
A new admin setting lets you set the default permissions for the token in your organization or repository.
You can choose between two options:
- Read/write for all scopes (current default)
- Read repo contents
Setting the default to
contents:read is sufficient for any workflows that simply need to clone and build. If you need additional permissions you will need to specify those in your workflow yaml.