Skip to content

GH Actions: set permissions for each workflow/job #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 19, 2025
Merged

GH Actions: set permissions for each workflow/job #59

merged 1 commit into from
Sep 19, 2025

Conversation

jrfnl
Copy link
Member

@jrfnl jrfnl commented Sep 19, 2025

Users frequently over-scope their workflow and job permissions, or set broad workflow-level permissions without realizing that all jobs inherit those permissions.

Furthermore, users often don't realize that the default GITHUB_TOKEN permissions can be very broad, meaning that workflows that don't configure any permissions at all can still provide excessive credentials to their individual jobs.

Remediation
In general, permissions should be declared as minimally as possible, and as close to their usage site as possible.

In practice, this means that workflows should almost always set permissions: {} at the workflow level to disable all permissions by default, and then set specific job-level permissions as needed.

Refs:

@jrfnl
GH Actions: set permissions for each workflow/job
d62bc50 
> Users frequently over-scope their workflow and job permissions, or set broad workflow-level permissions without realizing that all jobs inherit those permissions.
>
> Furthermore, users often don't realize that the _default_ `GITHUB_TOKEN` permissions can be very broad, meaning that workflows that don't configure any permissions at all can _still_ provide excessive credentials to their individual jobs.
>
> **Remediation**
> In general, permissions should be declared as minimally as possible, and as close to their usage site as possible.
>
> In practice, this means that workflows should almost always set `permissions: {}` at the workflow level to disable all permissions by default, and then set specific job-level permissions as needed.

Refs:
* https://docs.zizmor.sh/audits/#excessive-permissions
* https://github.com/GitHubSecurityLab/actions-permissions/tree/main/monitor
@jrfnl jrfnl added this to the 1.3.4 milestone Sep 19, 2025
@jrfnl jrfnl merged commit 5de1cbd into master Sep 19, 2025
6 of 8 checks passed
@jrfnl jrfnl deleted the feature/ghactions-set-minimal-permissions branch September 19, 2025 17:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
chores/QA
Projects
None yet
Milestone
1.3.4
Development

Successfully merging this pull request may close these issues.
1 participant
@jrfnl