permissions

Checks that workflows have explicit permissions configuration.

Why This Matters

By default, GitHub Actions workflows have broad permissions. Explicitly defining permissions:

• Reduces attack surface: Limits what a compromised workflow can access
• Follows least-privilege principle: Only grant permissions that are needed
• Prevents accidental damage: Limits blast radius of bugs or mistakes

What It Detects

Workflows missing the permissions key at the workflow or job level.

❌ Bad

name: CI
on: push
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

✅ Good

name: CI
on: push
permissions:
  contents: read
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

Example Output

ci.yml: (permissions) Workflow is missing permissions configuration

Auto-fix

Not supported - Permissions depend on what the workflow actually needs to do. You must add them manually.

Common Permission Configurations

Read-only (Most Restrictive)

permissions:
  contents: read

Minimal for CI

permissions:
  contents: read
  checks: write

Publishing Packages

permissions:
  contents: read
  packages: write

Creating Releases

permissions:
  contents: write

Read All (Convenience)

permissions: read-all

Job-level Permissions

You can also set permissions per job:

permissions:
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    steps: ...

  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write  # Override for this job only
    steps: ...

See Also

• GitHub Docs: Permissions for GITHUB_TOKEN