Skip to content
Latchkey

GitHub Actions workflow does not contain permissions (default token)

Without an explicit permissions block, the GITHUB_TOKEN uses the repository or organization default scope, which may be too broad or too narrow for the workflow.

What this error means

Code scanning or actionlint warns that the workflow has no permissions block, or a step fails because the default token lacks a needed scope.

github-actions
warning: workflow does not contain permissions; defaulting to the repository or organization setting

Common causes

No permissions key declared

Actions falls back to the default token permissions, which can be read-only or read-write depending on settings.

Over-broad default with write-all

If the org default is permissive, an unscoped workflow gets more access than it needs.

How to fix it

Declare least-privilege permissions

  1. Add a top-level permissions block set to the minimum needed.
  2. Grant additional scopes only on the specific job that needs them.
.github/workflows/ci.yml
permissions:
  contents: read

jobs:
  release:
    permissions:
      contents: write

How to prevent it

  • Set the org-wide default GITHUB_TOKEN permissions to read-only.
  • Always declare an explicit permissions block per workflow.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →