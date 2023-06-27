CodingGitHubSecurity

Today, June 27, 2023

You can now download the first beta of actions-permissions test – this is a tool that monitors your GitHub Actions workflows and recommends you the minimum permissions required to run them.

Each GitHub workflow gets a temporary repository access token (GITHUB_TOKEN). These tokens originally had a very wide range of permissions with full read and write access to the repository. A more detailed authorization model for workflow tokens has been in place for about two years now, and standard authorizations for new repositories and organizations are now set to “read only”. However, there are still a significant number of workflows that still use a “write only” token without actually requiring write permissions due to the default workflow permissions settings. Changing this setting to read-only is a best practice security method.

However, changing this setting to read-only may potentially break existing workflows that currently only work with write permissions. Additionally, because workflows can perform a variety of steps dependent on failure and success criteria, it can be difficult to determine the full permissions required for more complicated workflow definitions.

The solution: Monitor Action and Advisor Action

To help you transition to a least-privileged workflow token model, two GitHub Actions have been released to help you monitor and list the permissions required for a specific GitHub workflow:

The Monitor Action installs a local proxy (no information is sent to third parties) in your workflow runner, collects information about all GitHub API interactions initiated by the workflow, and then displays the minimum recommended permissions. The Advisor Action , which you can also use as a local tool, is able to summarize the recommendations from multiple iterations of the workflow.

