Workflow Permissions - CI/CD Glossary Definition
Workflow permissions scope the GITHUB_TOKEN via the permissions: key for least privilege.
Workflow permissions set the access scopes granted to GITHUB_TOKEN via the permissions: key, letting you restrict a workflow to least privilege such as contents: read.
The permissions: block, set at the workflow or job level, defines exactly which token scopes a run has. Starting from contents: read and adding only what is needed is the safe default.
Example
.github/workflows/deploy.yml
permissions:
contents: read
id-token: write # for OIDC