Skip to content
Latchkey

What Is Least Privilege?

Least privilege means a CI job gets exactly the permissions it needs to do its work - and nothing more - so a compromise has a small blast radius.

A pipeline that can do anything is a pipeline that, if compromised, lets an attacker do anything. The principle of least privilege keeps each job's permissions minimal and specific, so the damage from a leaked token or malicious dependency stays contained.

The principle

Grant the smallest set of permissions sufficient for the task. A test job rarely needs write access to anything; a deploy job needs to deploy one service, not administer the account.

Applying it in CI

  • Scope the platform token down - for example permissions: contents: read by default, widening only where needed.
  • Give OIDC roles a tight trust policy and minimal cloud permissions.
  • Separate read jobs from write jobs so most of the pipeline holds no write access.

A small example

Setting permissions: contents: read at the workflow level makes the default token read-only. A single job that needs to comment on a PR adds pull-requests: write for just itself - the rest of the pipeline cannot write anything.

Why it matters more in CI

CI runs untrusted-ish code: third-party actions, dependencies, and pull requests. Least privilege assumes any of those could be hostile and ensures that even then, the job cannot reach beyond its narrow remit.

Auditing privileges

Permissions creep over time. Periodically review what each workflow and role can do and trim anything unused - the access a pipeline never exercises is pure downside if it is ever compromised.

Key takeaways

  • Least privilege gives a job only the permissions it needs.
  • Default tokens to read-only and widen narrowly where required.
  • It limits the blast radius of a leaked token or hostile dependency.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →