Github Token Write Permissions
GitHub Token Write Permissions
Description
Even when you avoid write-all, a workflow can still enumerate multiple write scopes (contents, issues, pull-requests, packages) that the jobs never use. Those scopes persist for the entire workflow run, so any compromised step can still modify branches, PRs, or packages. GitHub’s least-privilege guidance applies here: only request the scopes the job truly needs. 1
Vulnerable Instance
- Workflow declares several write scopes even though it just runs tests.
permissions:
contents: write
pull-requests: write
issues: write
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm testMitigation Strategies
- Inventory scopes
For eachpermissionsentry, list the steps that actually need it. - Downgrade unused scopes
Changewritetoreadif there’s no correspondinggit push/ghusage. - Job-level overrides
Keep workflow-level permissions read-only and grant write only to specific jobs. - Use deployment tokens
For publishing steps, consider GitHub Apps or PATs limited to the target repo. - Document rationale
Leave comments explaining why a write scope exists and when it was reviewed.
Secure Version
permissions:
- contents: write
- pull-requests: write
- issues: write
+ contents: read
+ pull-requests: read
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: npm test
+ deploy:
+ needs: test
+ if: github.ref == 'refs/heads/main'
+ permissions:
+ contents: write
+ steps:
+ - run: ./scripts/deploy.sh
Impact
| Dimension | Severity | Notes |
|---|---|---|
| Likelihood |  | Workflows often copy permission blocks without pruning scopes. |
| Risk | | Extra write scopes let attackers tamper with code, PRs, or issues. |
| Blast radius |  | All repository areas covered by the granted scopes are exposed. |
References
- GitHub Docs, “Assigning permissions to jobs,” https://docs.github.com/actions/using-jobs/assigning-permissions-to-jobs 1
- GitHub Docs, “Security hardening for GitHub Actions,” https://docs.github.com/actions/security-guides/security-hardening-for-github-actions
GitHub Docs, “Assigning permissions to jobs,” https://docs.github.com/actions/using-jobs/assigning-permissions-to-jobs ↩︎ ↩︎
Last updated on