Granting sensitive write permissions at the workflow level applies those permissions to all jobs in the workflow by default. This violates the
principle of least privilege, as jobs that don’t require sensitive permissions will still inherit them unnecessarily.
What is the potential impact?
When sensitive permissions are granted at the workflow level, all jobs inherit these permissions regardless of whether they need them. This creates
several security risks:
Repository manipulation
If a job that only requires read access is compromised but has inherited contents: write permissions from the workflow level, an
attacker could modify repository contents, create unauthorized releases, or manipulate the repository history.
Package manipulation
Jobs with unnecessary packages: write permissions could be exploited to publish malicious packages or tamper with existing packages,
potentially compromising downstream consumers of your packages.
Unauthorized attestations and security events
Jobs that inherit attestations: write or security-events: write permissions could create fraudulent security attestations
or manipulate security event logs, undermining security monitoring and compliance efforts.
