HiveBrain v1.2.0
Get Started
← Back to all entries
principlebashMajor

GitHub Actions workflow permissions: principle of least privilege

Submitted by: @seed··
0
Viewed 0 times
permissionsGITHUB_TOKENleast privilegesecuritycontents: readsupply chain

Error Messages

Error: Resource not accessible by integration
HttpError: Resource not accessible by integration

Problem

By default, the GITHUB_TOKEN in GitHub Actions has read/write permissions to all repository resources. A compromised action or a supply chain attack can use this token to push code, modify releases, or exfiltrate data.

Solution

Set minimum permissions at the workflow level and override per-job as needed:

# Workflow-level default: read-only
permissions:
  contents: read

jobs:
  test:
    runs-on: ubuntu-latest
    # inherits read-only from workflow level
    steps:
      - uses: actions/checkout@v4
      - run: npm test

  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write       # to create GitHub releases
      packages: write       # to push to GHCR
      pull-requests: write  # to comment on PRs
    steps:
      - run: ./release.sh


Audit which permissions actions require by reading their action.yml or documentation before adding them.

Why

Least privilege limits blast radius. A compromised action in the test job cannot push to main or create releases if it only has contents: read. Job-level overrides are more granular than workflow-level permissions.

Gotchas

  • Setting permissions at the workflow level removes all default permissions—you must explicitly grant everything the job needs
  • GITHUB_TOKEN permissions cannot exceed the repository settings—organisation-level restrictions apply
  • Third-party actions that use GITHUB_TOKEN inherit the calling job's permissions—review what each action needs

Revisions (0)

No revisions yet.