What Is Least Privilege?
Least privilege means a CI job gets exactly the permissions it needs to do its work - and nothing more - so a compromise has a small blast radius.
A pipeline that can do anything is a pipeline that, if compromised, lets an attacker do anything. The principle of least privilege keeps each job's permissions minimal and specific, so the damage from a leaked token or malicious dependency stays contained.
The principle
Grant the smallest set of permissions sufficient for the task. A test job rarely needs write access to anything; a deploy job needs to deploy one service, not administer the account.
Applying it in CI
- Scope the platform token down - for example
permissions: contents: readby default, widening only where needed. - Give OIDC roles a tight trust policy and minimal cloud permissions.
- Separate read jobs from write jobs so most of the pipeline holds no write access.
A small example
Setting permissions: contents: read at the workflow level makes the default token read-only. A single job that needs to comment on a PR adds pull-requests: write for just itself - the rest of the pipeline cannot write anything.
Why it matters more in CI
CI runs untrusted-ish code: third-party actions, dependencies, and pull requests. Least privilege assumes any of those could be hostile and ensures that even then, the job cannot reach beyond its narrow remit.
Auditing privileges
Permissions creep over time. Periodically review what each workflow and role can do and trim anything unused - the access a pipeline never exercises is pure downside if it is ever compromised.
Key takeaways
- Least privilege gives a job only the permissions it needs.
- Default tokens to read-only and widen narrowly where required.
- It limits the blast radius of a leaked token or hostile dependency.