actsense - GitHub Actions Security Auditor

Overly Permissive

Description

Workflows with write permissions to GitHub Actions can create, modify, or delete actions in the repository. This is extremely dangerous: if the workflow is compromised, an attacker can inject malicious actions that run in other workflows, persist access through backdoors, or escalate privileges by creating actions with higher permissions. Write access to actions should almost never be granted, as it creates a significant security risk that can affect all workflows in the repository. ¹

Vulnerable Instance

Workflow has permissions: actions: write or permissions: write-all.
Compromised workflow can create malicious actions that other workflows use.
Actions can be modified to include backdoors that persist even after the initial compromise.

name: Dangerous Workflow
on: [push]
permissions:
  actions: write  # Extremely dangerous!
jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: echo "Deploying..."

Mitigation Strategies

Remove write permissions immediately
Change actions: write to actions: read or remove the permission entirely if not needed. Most workflows do NOT need to modify actions.
Review if truly necessary
Action creation/modification should be done through pull requests with code review, not through workflows. If programmatic action management is required, use a separate, highly restricted workflow with manual approval.
Use branch protection
If you must create/modify actions programmatically, require branch protection rules, manual approval gates, and implement additional security controls.
Consider GitHub Apps
Use GitHub Apps with limited, scoped permissions instead of broad workflow permissions for action management tasks.
Regularly audit permissions
Periodically scan all workflows for unnecessary permissions, especially write access to actions, contents, or packages.
Isolate high-risk workflows
If action modification is absolutely required, isolate it in a separate workflow with minimal permissions, require manual triggers, and implement extensive logging and monitoring.

Secure Version

 name: Secure Workflow
 on: [push]
 permissions:
+  contents: read
-  actions: write  # Extremely dangerous!
+  actions: read  # Read-only or omit entirely
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - run: echo "Deploying..."

Impact

Dimension	Severity	Notes
Likelihood		Most workflows don’t need action write permissions, but when granted, the risk is extreme.
Risk		Compromised workflows can inject persistent backdoors into actions, affecting all workflows that use them.
Blast radius		Malicious actions can be used by all workflows in the repository, potentially compromising the entire CI/CD pipeline and codebase.

References

GitHub Docs, “Permissions for the GITHUB_TOKEN,” https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token ¹

GitHub Docs, “Permissions for the GITHUB_TOKEN,” https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token ↩︎ ↩︎

Last updated on January 1, 2026

Older Action Version Potential Hardcoded Cloud Credentials