Can I set permissions for a single job instead of the whole workflow?

Yes, permissions can be defined at the top level for the entire workflow or nested within specific jobs to isolate higher-privilege tasks, such as only allowing a 'release' job to have write access.

Why should I use explicit permissions in GitHub Actions?

Explicit permissions ensure workflows only have the specific access required for their tasks, preventing script injections from pushing malicious code, modifying releases, or creating persistent backdoors.

How do I fix 'Resource not accessible by integration' errors?

This error occurs when the GITHUB_TOKEN lacks a specific permission required for an API call; you can resolve it by adding the necessary scope (e.g., contents: read or pull-requests: write) to the permissions block in your workflow YAML.

What are the default GITHUB_TOKEN permissions?

Default permissions often grant broad read/write access to repository contents, issues, and pull requests, which can create a high attack surface if a workflow or third-party action is compromised.

GitHub Token Permissions Security

Name: GitHub Token Permissions Security
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

Seguridad y Pruebas

Implements least-privilege security for GitHub Actions by configuring explicit GITHUB_TOKEN permissions and reducing attack surfaces.

Acerca de

This skill provides specialized guidance for hardening GitHub Actions workflows by moving away from risky default GITHUB_TOKEN settings. It helps developers implement the principle of least privilege by defining explicit permission scopes for repository resources like code, issues, and packages. By using this skill, you can prevent privilege escalation, mitigate the impact of script injection attacks, and ensure your CI/CD pipelines follow industry-standard security patterns for automated authentication.

Características Principales

Guided implementation of explicit minimal-scope YAML permissions
Best practices for OIDC federation and secure automated releases
Comprehensive GITHUB_TOKEN permission matrix and scope definitions
Security patterns for workflow-level vs. job-level permission escalation
0 GitHub stars
Troubleshooting for common 'Resource not accessible' integration errors

Casos de Uso

Hardening CI/CD pipelines against supply chain attacks and unauthorized code modifications
Configuring automated pull request feedback without granting full repository write access
Setting up secure cloud deployments using id-token write permissions for OIDC authentication

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills github-token-permissions-overview

For use in Claude.ai and ChatGPT

Download Skill

GitHub