MissingJobPermissions¶
Permissions are not declared.
Defined by ExplicitJobPermissionsRule which supports workflows in the "Default" ruleset along with ExplicitJobPermissions.
Description¶
Declaring permissions is essential for a safe usage of the GitHub Actions environment. It helps reduce the attack surface for malicious actors.
This also prevents accidental leaking of privileged tokens, because each job will only have the permissions it actually needs.
Declaring permissions for the github.token / secrets.GITHUB_TOKEN temporary Access Token is the best practice.
There are three ways to declare permissions:
- on the repository level
- on the workflow level
- on the job level
The recommended setting is:
- Set the organization/repository level permissions to "Read repository contents and packages permissions".
Sadly, the default is "Read and write permissions" (for everything), which is too permissive. - Do not declare anything on the workflow level.
- Declare explicit permissions on the job level.
This will ensure that the tokens will always have the least privilege.
Most of the time all you need is:
permissions:
contents: read
It is possible you don't need any permissions at all, in this case put:
permissions: {}
References:
- Documentation of
GITHUB_TOKENpermissions - What can go wrong if a too permissive token leaks?
- List of Available permissions
Compliant examples¶
Compliant example #1¶
Permissions are explicitly declared on the job level.
example.ymlon: push jobs: example: runs-on: ubuntu-latest permissions: contents: read steps: - run: echo "Example"
Compliant example #2¶
Permissions are explicitly declared on the workflow level.
example.ymlon: push permissions: pull-requests: read jobs: example: runs-on: ubuntu-latest steps: - run: echo "Example"
Non-compliant example¶
No permissions are declared anywhere.
example.ymlon: push jobs: example: runs-on: ubuntu-latest steps: - run: echo "Example"
- Line 3: Job[example] is missing permissions.