GitHub Action uses write-all permissions¶

Using the write-all permission in a GitHub Action workflow grants the workflow write access on all scopes. Avoid granting unnecessary privileges to a GitHub Action workflows and only enable scopes that are necessary for the workflow execution.

Examples¶

Insecure Example

permissions: write-all

jobs:
  write-all:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3

Secure Example

permissions:
  contents: read

jobs:
  contents-read:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3

More information¶

GitHub Documentation - Automatic token authentication - Permissions for the GITHUB_TOKEN