Read-only token for CI

GitHub automatically creates an API token with write permissions to all data of the repository. See https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token#about-the-github_token-secret

However, for many uses of GitHub Actions, a mostly read-only token is sufficient and desired for security purposes. For example a CI would need read-only permission and the only write permission is used to change the status of a Check after the build has been run.

So is there any way to limit the permissions of GitHub Actions, to limit the potential damage that it can do?

2 Likes

The read & write permissions of the automatically created GITHUB_TOKEN are designed as this, and I did not find any method to limit the permissions of it.

As a workaround, maybe you can create a new PAT and custom the permissions you need, then set it as a secret in the repository. When running the workflow, use this new PAT to authenticate.

+1 on this. I’ve made a GitHub Action which only requires read access to pull request data, yet the default token created by GitHub asks for a whole lot more. This is actually preventing adoption of my action by enterprise customers - and creating a PAT unfortunately does not help because the token still needs the entire repo scope checked in order to work.

It would be nice if Actions tokens’ permission levels were able to match those of GitHub Apps or were able to be configured.