Christos Galanopoulos

Overview

One of the key features of GitHub Actions is the ability to authenticate and authorize actions using GitHub Tokens, such as the GITHUB_TOKEN. Additionally, GitHub Actions also allows repository owners to fine-tune the access that workflow jobs have using the permissions keyword. In this blog post, we will take a detailed look at how someone can have granular control over the actions that their workflows take.

GITHUB_TOKEN

GITHUB_TOKEN is a special token that is automatically generated by GitHub Actions and can be used to perform a variety of actions within a workflow. This token is unique to each workflow and can be used to authenticate with the GitHub API, making it a powerful tool for automating tasks and interacting with the GitHub platform. The token is scoped to the repository where the workflow is defined and it has access to the same permissions as the person who triggered the workflow.

You reference the GITHUB_TOKEN in two ways:

  • using the github context: ${{ github.token }}
  • using the secrets context: ${{ secrets.GITHUB_TOKEN }}

It is useful to know that events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, do not start a new workflow run when you use the repository’s GITHUB_TOKEN to carry out tasks. This stops you from unintentionally generating workflow runs that are recursive.

You can also set the default permissions for your repository by choosing one of two options:

  • Read/write permissions: Workflows have read and write permissions in the repository for all scopes.
  • Read repository contents permission: Workflows have read permissions in the repository for the contents scope only.

I recommend that you select the second option, following best security practices, and if you need additional permissions, you can specify them in the workflow yaml, as we will see next.

Permissions

The permissions keyword is a feature in GitHub Actions that allows repository owners to fine-tune the access that workflow jobs have to References within a repository. This can include things like reading or writing to the repository’s code, creating and managing issues, and interacting with the GitHub API.

Permissions can be used within single jobs or as a top-level key that applies to all jobs in the workflow. All operations and run commands within a given job that use the GITHUB_TOKEN are granted the access privileges you define when the permissions keyword is added to that task.

Here are all the possible values of permissions:

permissions:
  actions: read|write|none
  checks: read|write|none
  contents: read|write|none
  deployments: read|write|none
  id-token: read|write|none
  issues: read|write|none
  discussions: read|write|none
  packages: read|write|none
  pages: read|write|none
  pull-requests: read|write|none
  repository-projects: read|write|none
  security-events: read|write|none
  statuses: read|write|none

# Define read or write access for all of the available scopes
permissions: read-all|write-all

# Disable permissions for all of the available scopes
permissions: {}

NOTE: If you specify the access for any of these scopes, all of those that are not specified are set to none.

Example

Let’s take a look at an example:

name: permissions

on:
  workflow_dispatch:

permissions: read-all # applies to all jobs in the workflow

jobs:
  job-1:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: |
          echo "Test Job 1"
  job-2:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: |
          echo "Test Job 2"
  job-3:
    runs-on: ubuntu-latest
    permissions: {} # applies to only this job, overrides the workflow-scoped value
    steps:
      - uses: actions/checkout@v4
      - run: |
          echo "Test Job 3"

In the above example, we set read-all permission for all the jobs in a workflow. We also override that value in job-3, where we disable all permissions and so we expect that this job will fail since it can not complete the action of checking out the repository.

permissions

Summary

In summary, the combination of GITHUB_TOKEN and permissions is a powerful tool that allows the fine-tuned access of workflow jobs. When assigning permissions, always remember to follow security best practices.

Resources

Leave a comment

You may also enjoy

Microsoft Kiota

10 minute read

Kiota is a powerful tool designed to streamline the process of generating API clients for any OpenAPI-described API you’re interested in.

Protocol Buffers

22 minute read

Protocol Buffers, also known as protobuf, is a language-agnostic binary serialization format developed by Google. It enables efficient serialization and dese...

GitHub Packages

5 minute read

GitHub Packages is a package management service provided by GitHub. It allows developers to publish and consume software packages, including libraries, frame...

GitHub Secret Scanning

5 minute read

GitHub Secret Scanning is a tool that scans your code for secrets, including passwords, API keys, and other sensitive information. It integrates seamlessly w...