Actions Permissions Implementation Notes Reading through #24635 and related PRs. Need to understand why #23729 and #24554 were rejected. Key points: Security first Org/repo boundaries No blanket permissions