Can I set permissions for a single job instead of the whole workflow?

Yes, permissions can be defined at the top level for the entire workflow or nested within specific jobs to isolate higher-privilege tasks, such as only allowing a 'release' job to have write access.

Why should I use explicit permissions in GitHub Actions?

Explicit permissions ensure workflows only have the specific access required for their tasks, preventing script injections from pushing malicious code, modifying releases, or creating persistent backdoors.

How do I fix 'Resource not accessible by integration' errors?

This error occurs when the GITHUB_TOKEN lacks a specific permission required for an API call; you can resolve it by adding the necessary scope (e.g., contents: read or pull-requests: write) to the permissions block in your workflow YAML.

What are the default GITHUB_TOKEN permissions?

Default permissions often grant broad read/write access to repository contents, issues, and pull requests, which can create a high attack surface if a workflow or third-party action is compromised.

GitHub Token Permissions Security

Name: GitHub Token Permissions Security
Author: adaptive-enforcement-lab

byadaptive-enforcement-lab

0•

Seguridad y Pruebas

Implements least-privilege security for GitHub Actions by configuring explicit GITHUB_TOKEN permissions and reducing attack surfaces.

This skill provides specialized guidance for hardening GitHub Actions workflows by moving away from risky default GITHUB_TOKEN settings. It helps developers implement the principle of least privilege by defining explicit permission scopes for repository resources like code, issues, and packages. By using this skill, you can prevent privilege escalation, mitigate the impact of script injection attacks, and ensure your CI/CD pipelines follow industry-standard security patterns for automated authentication.

Características Principales

01Guided implementation of explicit minimal-scope YAML permissions

02Best practices for OIDC federation and secure automated releases

03Comprehensive GITHUB_TOKEN permission matrix and scope definitions

04Security patterns for workflow-level vs. job-level permission escalation

050 GitHub stars

06Troubleshooting for common 'Resource not accessible' integration errors

Casos de Uso

01Hardening CI/CD pipelines against supply chain attacks and unauthorized code modifications

02Configuring automated pull request feedback without granting full repository write access

03Setting up secure cloud deployments using id-token write permissions for OIDC authentication

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills github-token-permissions-overview

For use in Claude.ai and ChatGPT

Download Skill

Características Principales

01Guided implementation of explicit minimal-scope YAML permissions

02Best practices for OIDC federation and secure automated releases

03Comprehensive GITHUB_TOKEN permission matrix and scope definitions

04Security patterns for workflow-level vs. job-level permission escalation

050 GitHub stars

06Troubleshooting for common 'Resource not accessible' integration errors

Casos de Uso

01Hardening CI/CD pipelines against supply chain attacks and unauthorized code modifications

02Configuring automated pull request feedback without granting full repository write access

03Setting up secure cloud deployments using id-token write permissions for OIDC authentication

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add adaptive-enforcement-lab/claude-skills github-token-permissions-overview

For use in Claude.ai and ChatGPT

Download Skill