Using permissions: read-all or permissions: write-all grants all read or write permissions to a job, violating the
principle of least privilege. Jobs should only have the specific permissions they need.
-
read-all grants: pull-requests: read, packages: read, deployments: read, actions: read, etc.
-
write-all grants: pull-requests: write, packages: write, deployments: write, actions: write, etc.
For example, a job that only needs to read issues should not have access to read code, pull requests, or packages. A job that only needs to write
files should not be able to create releases, modify deployments, or write to other repositories.
What is the potential impact?
If a workflow or job is compromised (e.g., via malicious code injection, supply chain attack, or accidental exposure), excessive permissions can
lead to:
Data Exposure
If a workflow or job with read-all permission is compromised, an attacker can access sensitive data in issues, pull requests, or
packages etc.
Unauthorized Modification
If a workflow or job with write-all permission is compromised, an attacker can create or modify issues, pull requests, releases, or
deployments etc.
Supply chain compromise
If a workflow or job with write-all permission is compromised, an attacker can publish malicious packages or modify artifacts
