Read-only token for CI

GitHub automatically creates an API token with write permissions to all data of the repository. See https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token#about-the-github_token-secret

However, for many uses of GitHub Actions, a mostly read-only token is sufficient and desired for security purposes. For example a CI would need read-only permission and the only write permission is used to change the status of a Check after the build has been run.

So is there any way to limit the permissions of GitHub Actions, to limit the potential damage that it can do?

7 Likes

The read & write permissions of the automatically created GITHUB_TOKEN are designed as this, and I did not find any method to limit the permissions of it.

As a workaround, maybe you can create a new PAT and custom the permissions you need, then set it as a secret in the repository. When running the workflow, use this new PAT to authenticate.

+1 on this. I’ve made a GitHub Action which only requires read access to pull request data, yet the default token created by GitHub asks for a whole lot more. This is actually preventing adoption of my action by enterprise customers - and creating a PAT unfortunately does not help because the token still needs the entire repo scope checked in order to work.

It would be nice if Actions tokens’ permission levels were able to match those of GitHub Apps or were able to be configured.

also +1, our app also integrates with github, we only need to read pull-requests and commit names but users are often willing to authorize full write access.

1 Like

Any updates on this?
it’s scary that you pull third-party actions and their scripts will have write permissions to the repository.

1 Like

obviously, read-only permission token is necessary

I would also +1 for this in wake of many security breaches, its important to have the ability to create a read only token.

For those asking, especially just now, this feature was released about a month ago:

Each job can set permissions and both organizations and repositories can change the default permissions to “read only” if desired.