actions permissions

GitHub token permissions Monitor and Advisor actions

257
22
Python

GitHub token permissions Monitor and Advisor actions (PUBLIC BETA)

Logo

https://user-images.githubusercontent.com/26652396/233825493-caf6a8ea-12f0-4d2f-b2ca-466784bea28d.mp4

Applying the least privilege permissions to a GitHub Actions workflow is a best security practice, but can be challenging as it may break existing workflows.

The Monitor action, when added to a workflow, tracks the usage of the temporary GitHub repository token and gives recommendations on the minimum permissions required to run the workflow based on the actual detected workflow activity. Every workflow run generates a summary report with the recommendations. Since some steps or jobs may be skipped based on various conditions, the Advisor action can aggregate and summarize the recommendations from multiple workflow runs.

Workflow run summary with permissions recommendations for every job

The typical scenario is to include the Monitor action in every job of the workflow that doesn’t specify permissions explicitly, collect the recommendations from several workflow runs, apply the recommended minimal permissions, and then remove the Monitor action.

Usage

See the Monitor action

See the Advisor action