What OAuth scopes are GitHub Actions limited to?

One thing I appreciate about Travis CI is that they explain the why behind the OAuth scopes requested when setting up the integration to GitHub, however I don’t see anything explaining the scope of what GitHub actions have relative to the repository much less the organization.  I could assume that actions only have read access to the repository to pull down source code before executing the workflow, however I would appreciate more insight into what guardrails have been put up around GitHub Actions

Hi @andyfeller ,

GitHub provides a token that you can use to authenticate on behalf of GitHub Actions. GitHub automatically creates a GITHUB_TOKEN secret to use in your workflow. You can use the GITHUB_TOKEN to authenticate in a workflow run.
The token’s permissions are limited to the repository that contains your workflow. If you need a token that requires permissions that aren’t available in the GITHUB_TOKEN, you can create a personal access token and set it as a secret in your repository.
More details please reference here: https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token

1 Like

Thanks for your help!