CI/CD Pipelines: Security, Secrets, and Governance/Use least-privilege permissions in GitHub Actions
Explicitly scope the token for each workflow or job.
Section: Harden pipeline credentials and permissions
Use least-privilege permissions in GitHub Actions
yaml
yaml
permissions:
contents: readExplanation
Set the default permission level deliberately and elevate only when a job truly needs more access.
Learn the surrounding workflow
Compare similar commands or jump into common fixes when this command is part of a bigger troubleshooting path.
Related commands
Same sheet · prioritizing Harden pipeline credentials and permissions
Use OIDC instead of long-lived cloud keys
Exchange a short-lived identity token for cloud credentials.
Protect production variables in GitLab
Restrict sensitive variables to protected branches or tags.
Be careful with untrusted pull requests
Avoid exposing secrets to code from forks.
Require approval for production release
Add environment rules or manual gates before prod deploys.
Pin actions to a version or commit
Avoid floating references for critical workflow dependencies.