Skip to content

Latest commit

 

History

History
55 lines (42 loc) · 1.04 KB

001.md

File metadata and controls

55 lines (42 loc) · 1.04 KB
Raw

job_permissions

All jobs should have the field permissions.

Examples

jobs:
  foo: # The job doesn't have `permissions`
    runs-on: ubuntu-latest
    steps:
      - run: echo hello

jobs:
  foo:
    runs-on: ubuntu-latest
    permissions: {} # Set permissions
    steps:
      - run: echo hello

Why?

For least privilege.

Exceptions

  1. workflow's permissions is empty {}
permissions: {} # empty permissions
jobs:
  foo: # The job is missing `permissions`, but it's okay because the workflow's `permissions` is empty
    runs-on: ubuntu-latest
    steps:
      - run: echo hello
  1. workflow has only one job and the workflow has permissions
permissions:
  contents: read
jobs:
  foo: # The job is missing `permissions`, but it's okay because the workflow has permissions and the workflow has only one job.
    runs-on: ubuntu-latest
    steps:
      - run: echo hello