GitHub Actions issuing GitHub Access tokens from GitHub Apps should limit permissions.
This policy supports the following actions.
https://github.com/tibdex/github-app-token
❌
- uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{secrets.APP_ID}}
private_key: ${{secrets.PRIVATE_KEY}}
repositories: >-
["${{github.event.repository.name}}"]
⭕
- uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{secrets.APP_ID}}
private_key: ${{secrets.PRIVATE_KEY}}
repositories: >-
["${{github.event.repository.name}}"]
permissions: >-
{
"contents": "read"
}
The scope of access tokens should be limited.