From abf83ab5b7aec57eceaaf67095c6ac2207fae4f3 Mon Sep 17 00:00:00 2001 From: Vikranth3140 Date: Wed, 19 Jun 2024 02:35:59 +0530 Subject: [PATCH] Clarify permissions calculation for workflow jobs --- .../actions/security-guides/automatic-token-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/security-guides/automatic-token-authentication.md b/content/actions/security-guides/automatic-token-authentication.md index 04f4ccbe1c0a..b0055ecae8f4 100644 --- a/content/actions/security-guides/automatic-token-authentication.md +++ b/content/actions/security-guides/automatic-token-authentication.md @@ -131,7 +131,7 @@ For full details of the `permissions` key, see "[AUTOTITLE](/actions/using-workf #### How the permissions are calculated for a workflow job -The permissions for the `GITHUB_TOKEN` are initially set to the default setting for the enterprise, organization, or repository. If the default is set to the restricted permissions at any of these levels then this will apply to the relevant repositories. For example, if you choose the restricted default at the organization level then all repositories in that organization will use the restricted permissions as the default. The permissions are then adjusted based on any configuration within the workflow file, first at the workflow level and then at the job level. Finally, if the workflow was triggered by a pull request from a forked repository, and the **Send write tokens to workflows from pull requests** setting is not selected, the permissions are adjusted to change any write permissions to read only. +The permissions for the `GITHUB_TOKEN` are initially set to the default setting for the enterprise, organization, or repository. If the default is set to the restricted permissions at any of these levels then this will apply to the relevant repositories. For example, if you choose the restricted default at the organization level then all repositories in that organization will use the restricted permissions as the default. The permissions are then adjusted based on any configuration within the workflow file, first at the workflow level and then at the job level. Finally, if the workflow was triggered by a pull request from a forked repository, and the **Send write tokens to workflows from pull requests** setting is not selected, the permissions are adjusted to change any write permissions to read only, except for the `pull_request_target` event. This applies to all pull request-related events, including `pull_request_review`. ### Granting additional permissions