Introducing Actions-Permissions: Enhance GitHub Workflow Security with New Beta Tool for Minimal Permissions
As Seen On
Introducing Actions-Permissions
The world of GitHub Actions just got a significant security boost with the release of a public beta for the actions-permissions tool. This new tool is designed to monitor GitHub Actions workflows and recommend the minimum permissions required to perform necessary tasks. Workflow tokens originally had overly broad permissions, but the need for fine-grained permission models prompted the introduction of more granular controls in 2021 to address escalating security concerns.
Many GitHub workflows, however, continue to use write-all tokens by default – a lingering challenge that prevents users from applying the least privilege security principle. Particularly complex workflows might present difficulties when attempting to narrow down multiple permissions, leading to potential breaking changes.
The new Actions-Permissions Tool addresses these issues through two key features:
Monitor Action: The Monitor action installs a local proxy within the workflow runner to collect vital information on GitHub API interactions initiated by the workflow. In doing so, it can quickly assess and display the recommended minimal permissions in a workflow run summary, making it easier for users to identify the necessary GitHub API access to prevent over-permission.
Advisor Action: Complementing the Monitor action is the Advisor action, which collates recommendations from multiple workflow runs, providing a broader dataset from which to analyze and offer suggestions. The Advisor action can also be used as a local tool, making it even more flexible for developers assessing their workflow permissions.
Getting started with the Actions-Permissions Tool is relatively simple. Once users apply the recommended permissions to their workflows, the need for the tool becomes minimal. However, it can be used to add new permissions as needed. To drastically improve GitHub workflow security, users are encouraged to test out the public beta of actions-permissions, and share feedback to contribute to its ongoing development.
Integrating the actions-permissions tool significantly enhances GitHub workflow security, making it an indispensable addition for developers keen to optimize their workflow while minimizing risk. So why wait? Optimize your GitHub Actions workflow today with the actions-permissions public beta, and take the first critical step toward safeguarding your sensitive data and processes.
Casey Jones
Up until working with Casey, we had only had poor to mediocre experiences outsourcing work to agencies. Casey & the team at CJ&CO are the exception to the rule.
Communication was beyond great, his understanding of our vision was phenomenal, and instead of needing babysitting like the other agencies we worked with, he was not only completely dependable but also gave us sound suggestions on how to get better results, at the risk of us not needing him for the initial job we requested (absolute gem).
This has truly been the first time we worked with someone outside of our business that quickly grasped our vision, and that I could completely forget about and would still deliver above expectations.
I honestly can't wait to work in many more projects together!
Disclaimer
*The information this blog provides is for general informational purposes only and is not intended as financial or professional advice. The information may not reflect current developments and may be changed or updated without notice. Any opinions expressed on this blog are the author’s own and do not necessarily reflect the views of the author’s employer or any other organization. You should not act or rely on any information contained in this blog without first seeking the advice of a professional. No representation or warranty, express or implied, is made as to the accuracy or completeness of the information contained in this blog. The author and affiliated parties assume no liability for any errors or omissions.