You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are multiple scopes at which the permissions of the GITHUB_TOKEN access token (which is automatically generated
for use in GitHub Actions workflow runs) can be configured:
- enterprise
- organization
- repository
- workflow
- job
The latter two scopes are configured using the `permissions` workflow key. The point of configuring permissions in the
workflow is that each workflow may have different requirements. Granular configuration means that the "principle of
least privilege" can be more closely followed, by only granting permissions in the specific scopes where they are
needed.
Previously, in cases where the same permissions configuration could be used for all jobs in a workflow, the
configuration was done at the workflow scope. Even if functionally equivalent, I think it is semantically more
appropriate to always set the permissions at the job scope. This more clearly communicates that the intention is to make
the most granular possible permissions configuration. Hopefully that will serve as a model for any additional jobs added
to the workflow in the future and make it more likely that the appropriate permissions configuration will be done there.
0 commit comments