DevBolt
Processed in your browser. Your data never leaves your device.

GitHub Actions Permissions Guide

Configure GITHUB_TOKEN permissions for your GitHub Actions workflows. Use least-privilege access to minimize security risk. The validator above checks your permission configuration for errors.

← Back to tools

GitHub Actions YAML Validator

Validate GitHub Actions workflow files for syntax errors, missing fields, deprecated actions, broken job dependencies, and common misconfigurations. Runs entirely in your browser.

About GitHub Actions Workflow Validation

GitHub Actions workflows are YAML files in .github/workflows/ that define CI/CD automation — building, testing, deploying, and more.

What we check:

  • Required fields — on (triggers), jobs, runs-on, steps
  • Trigger validation — event names, cron schedules, workflow_dispatch inputs
  • Job structure — runs-on, needs dependencies, timeout, strategy/matrix
  • Step validation — uses vs run, action version pinning, id uniqueness
  • Deprecated actions — flags outdated action versions with upgrade suggestions
  • Permissions — validates permission scopes and values
  • Expression syntax — unclosed ${{ }} expressions
  • Reusable workflows — validates uses/steps exclusivity
  • Best practices — timeouts, concurrency groups, naming

Everything runs in your browser — no data is sent over the network.

Understanding GITHUB_TOKEN permissions

Every workflow run gets an automatic GITHUB_TOKEN with configurable permissions. Since 2023, new repositories default to read-only permissions. You can set permissions at the workflow level (applies to all jobs) or per-job for fine-grained control. Available scopes include contents, issues, pull-requests, packages, deployments, actions, checks, id-token, pages, and more. Each scope accepts read, write, or none.

# Workflow-level — applies to all jobs
permissions:
  contents: read
  pull-requests: write

jobs:
  deploy:
    # Job-level — overrides workflow permissions
    permissions:
      contents: write
      packages: write
      id-token: write  # For OIDC
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

Least-privilege best practices

Always specify permissions explicitly rather than relying on defaults. Start with the minimum: contents: read for most CI jobs. Add write permissions only where needed: pull-requests: write for PR comments, packages: write for publishing, pages: write for deploying to GitHub Pages, and id-token: write for OIDC authentication. Avoid permissions: write-all which grants full access to all scopes.

Frequently Asked Questions

What are the default GITHUB_TOKEN permissions?

For repositories created after February 2023, the default is read-only for contents and metadata. Older repositories may default to read-write. You can change the default in repository Settings > Actions > General > Workflow permissions.

What is id-token: write used for?

The id-token permission allows workflows to request an OpenID Connect (OIDC) token for keyless authentication with cloud providers (AWS, Azure, GCP). This eliminates the need to store long-lived cloud credentials as repository secrets.

Related tools

GitHub Actions Workflow Syntax GuideGitHub Actions Deprecated Actions Checker← All GitHub Actions Validator features

Related Inspect Tools

+-

Diff Checker

Compare two texts and see differences highlighted

CRN

Cron Expression Parser

Parse cron schedules into plain English with next run times

W#

Word & Character Counter

Count words, characters, sentences, and estimate reading time

rwx

Chmod Calculator

Calculate Unix file permissions with an interactive permission matrix