Determine minimum GITHUB_TOKEN permissions using Harden-Runner

Available for Enterprise Tier users only

Harden-Runner monitors outbound HTTPS requests using eBPF and uses the PATHs and VERBs of these HTTPS calls to recommend the minimum GITHUB_TOKEN permissions for each job in your workflow.

GITHUB_TOKEN is an automatically generated secret used to authenticate to GitHub APIs from GitHub Actions workflows.
Harden-Runner can monitor the VERBs (e.g., GET, POST) and PATHs (e.g., /repos/owner/repo/issues) for calls made to the GitHub APIs from the runner.
Each GitHub Actions API call requires a corresponding GITHUB_TOKEN permission. For instance, a GET request to the /repos/org/repo/info/refs?service=git-upload-pack endpoint requires the contents: read permission.
The recommendation for the minimum GITHUB_TOKEN permissions are show in the Recommendations tab.

For more details, refer to Determine Minimum GITHUB_TOKEN Permissions Using eBPF with Harden-Runner.

PreviousView outbound GitHub API calls at the job level NextView the name and path of every file written during the build process

Last updated 11 days ago