Script Valley
CI/CD with GitHub Actions
Security and Best PracticesLesson 6.3

How to use minimum permissions with GITHUB_TOKEN

permissions block, principle of least privilege, read-all default, write permissions, job-level permissions, permission inheritance, GITHUB_TOKEN scope, security audit

Default GITHUB_TOKEN Permissions

GITHUB_TOKEN permission scopes

By default in new repositories, GITHUB_TOKEN has read permission for most scopes and write for contents. In older repositories or organization settings, it may have write access to everything. Following the principle of least privilege, you should declare only what your workflow actually needs.

Setting Minimum Permissions

permissions:
  contents: read      # check out code
  packages: write     # push to ghcr.io

jobs:
  test:
    runs-on: ubuntu-latest
    permissions:
      contents: read  # override at job level to be even more restrictive
    steps:
      - uses: actions/checkout@v4
      - run: npm test

Set permissions at the workflow level as the maximum, then override at the job level to be more restrictive per job. A job that only runs tests should not have packages: write. Setting any permission at the workflow level automatically sets all other permissions to none โ€” be explicit about everything needed. This limits blast radius if a step is compromised.

Up next

How to scan workflows for security issues with actionlint

Sign in to track progress

How to use minimum permissions with GITHUB_TOKEN โ€” Security and Best Practices โ€” CI/CD with GitHub Actions โ€” Script Valley โ€” Script Valley