Default permissions used on risky events
If a GitHub Actions workflow does not declare permissions for its job, it inherits the default permissions configured in the GitHub Actions settings of the repository. For organizations created before February 2023, which is the case for a large number of important OSS projects and corporations, the default permissions used to grant read-write access to the repository and even new repositories will inherit the permissions of the old, insecure defaults from the organization.
Workflows that trigger on events often related to pull requests from forks (pull_request_target, issue_comment) should ensure all jobs run with the minimum required permissions. This helps to ensure the workflow does not inadvertently expose a privileged token to untrusted code regardless of the default permissions set in the repository.
In the affected worfklows, ensure that permissions are explicitely declared at the workflow level or at each job level.
The default workflow permissions can be configured to have no permissions to ensure that all jobs declare their permissions.
on:
pull_request_target:
branches: [main]
types: [opened, synchronized]
permissions: {} # Change the default job permissions to none
jobs:
pr-read:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
When using workflow level permissions, ensure that the permissions are set to the minimum required for the workflow to function correctly. Increase the permissions only if necessary on a per-job basis.
on:
pull_request_target:
branches: [main]
types: [opened, synchronized]
permissions:
contents: read
jobs:
pr-read:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
issues-write:
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- uses: org/create-issue-action@v2
on: pull_request_target
jobs:
build-pr:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- run: make