Previously, GitHub Actions gets a GITHUB_TOKEN with both read/write permissions by default whenever Actions is enabled on a repository.
As a default, this is too permissive, so to improve security we would like to change the default going forward to a read-only token. You can still flip it to read/write if needed.
This change will not impact any existing enterprises, organizations or repositories. Here is how the defaults are set going forward.
- Enterprises: New enterprises will have read-only token.
- Organizations owned by Enterprise: New organizations will inherit the permissions from parent enterprise.
- Organizations not owned by Enterprise: New organizations will have read-only token.
- Repositories owned by organization: New repositories will inherit permissions from parent organization.
- Repositories owned by personal account: New repositories will have read-only token.