GitHub Action uses write-all permissions¶
Using the write-all
permission in a GitHub Action workflow grants the workflow write access on all scopes. Avoid granting unnecessary privileges to a GitHub Action workflows and only enable scopes that are necessary for the workflow execution.
Examples¶
Insecure Example
permissions: write-all
jobs:
write-all:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
Secure Example
permissions:
contents: read
jobs:
contents-read:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3