How to Control GITHUB_TOKEN Default Permissions in GitHub Actions
GITHUB_TOKEN is scoped to the current repo only; tighten it with the permissions key and it expires at job end.
The automatic GITHUB_TOKEN is minted per job and revoked when the job ends. It only reaches the repo running the workflow. Declare a permissions: block to grant the minimum, ideally starting from read-all.
Steps
- Add a top-level
permissions:block set to the least you need. - Grant per-job overrides only where a job needs more.
- Remember it cannot reach other repos or trigger their workflows.
Workflow
.github/workflows/ci.yml
permissions:
contents: read # start minimal
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write # this job needs to push a tag
pull-requests: write
steps:
- uses: actions/checkout@v4
- run: ./release.shGotchas
- On
pull_requestfrom a fork, GITHUB_TOKEN is read-only regardless of the block. - It cannot start another workflow; use an App token for cross-repo dispatch.
Related guides
How to Trigger a Workflow in Another Repo With a GitHub App TokenDispatch a workflow in a different repository from GitHub Actions using a GitHub App installation token, beca…
How to Handle GitHub API Rate Limits by Token Type in CIUnderstand GitHub API rate limits for GITHUB_TOKEN, user PATs, and GitHub App installation tokens, and pick t…