Skip to content
Latchkey

How to Control GITHUB_TOKEN Default Permissions in GitHub Actions

GITHUB_TOKEN is scoped to the current repo only; tighten it with the permissions key and it expires at job end.

The automatic GITHUB_TOKEN is minted per job and revoked when the job ends. It only reaches the repo running the workflow. Declare a permissions: block to grant the minimum, ideally starting from read-all.

Steps

  • Add a top-level permissions: block set to the least you need.
  • Grant per-job overrides only where a job needs more.
  • Remember it cannot reach other repos or trigger their workflows.

Workflow

.github/workflows/ci.yml
permissions:
  contents: read        # start minimal
jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write     # this job needs to push a tag
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
      - run: ./release.sh

Gotchas

  • On pull_request from a fork, GITHUB_TOKEN is read-only regardless of the block.
  • It cannot start another workflow; use an App token for cross-repo dispatch.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →