GitHub Actions workflow does not contain permissions (default token)
Without an explicit permissions block, the GITHUB_TOKEN uses the repository or organization default scope, which may be too broad or too narrow for the workflow.
What this error means
Code scanning or actionlint warns that the workflow has no permissions block, or a step fails because the default token lacks a needed scope.
github-actions
warning: workflow does not contain permissions; defaulting to the repository or organization settingCommon causes
No permissions key declared
Actions falls back to the default token permissions, which can be read-only or read-write depending on settings.
Over-broad default with write-all
If the org default is permissive, an unscoped workflow gets more access than it needs.
How to fix it
Declare least-privilege permissions
- Add a top-level permissions block set to the minimum needed.
- Grant additional scopes only on the specific job that needs them.
.github/workflows/ci.yml
permissions:
contents: read
jobs:
release:
permissions:
contents: writeHow to prevent it
- Set the org-wide default GITHUB_TOKEN permissions to read-only.
- Always declare an explicit permissions block per workflow.
Related guides
GitHub Actions "Resource not accessible by integration"Fix the GitHub Actions "Resource not accessible by integration" 403 caused by the GITHUB_TOKEN lacking the pe…
GitHub Actions default GITHUB_TOKEN permissions cause a 403Fix the GitHub Actions 403 caused by the repository or org default GITHUB_TOKEN being read-only, so write API…
GitHub Actions "permission denied" for packages: write (GHCR)Fix the GitHub Actions denied error pushing to GitHub Container Registry caused by the GITHUB_TOKEN missing t…