Default Workflow Token Permission Should Be Read Only
policy name: token_default_permissions_is_read_write
The default GitHub Action workflow token permission is set to read-write. When creating workflow tokens, it is highly recommended to follow the Principle of Least Privilege and force workflow authors to specify explicitly which permissions they need.
In case of token compromise (due to a vulnerability or malicious third-party GitHub actions), an attacker can use this token to sabotage various assets in your CI/CD pipeline, such as packages, pull-requests, deployments, and more.
- Make sure you have admin permissions
- Go to the org’s settings page
- Enter “Actions - General” tab
- Under ‘Workflow permissions’
- Select ‘Read repository contents permission’
- Click ‘Save’