Skip to content
Latchkey

Workflow Permissions - CI/CD Glossary Definition

Workflow permissions scope the GITHUB_TOKEN via the permissions: key for least privilege.

Workflow permissions set the access scopes granted to GITHUB_TOKEN via the permissions: key, letting you restrict a workflow to least privilege such as contents: read.

The permissions: block, set at the workflow or job level, defines exactly which token scopes a run has. Starting from contents: read and adding only what is needed is the safe default.

Example

.github/workflows/deploy.yml
permissions:
  contents: read
  id-token: write  # for OIDC

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →