Skip to main content

为作业分配权限

修改授予“GITHUB_TOKEN”的默认权限。

概览

You can use permissions to modify the default permissions granted to the GITHUB_TOKEN, adding or removing access as required, so that you only allow the minimum required access. 更多信息请参阅“工作流程中的身份验证

您可以使用 permissions 作为顶级密钥,以应用于工作流程中的所有作业,或特定的作业。 当您在特定作业中添加 permissions 键时,该作业中的所有操作和运行命令使用 GITHUB_TOKEN 获取您指定的访问权限。 更多信息请参阅 jobs.<job_id>.permissions

Available scopes and access values:

permissions:
  actions: read|write|none
  checks: read|write|none
  contents: read|write|none
  deployments: read|write|none
  issues: read|write|none
  discussions: read|write|none
  packages: read|write|none
  pages: read|write|none
  pull-requests: read|write|none
  repository-projects: read|write|none
  security-events: read|write|none
  statuses: read|write|none

If you specify the access for any of these scopes, all of those that are not specified are set to none.

You can use the following syntax to define read or write access for all of the available scopes:

permissions: read-all|write-all

You can use the following syntax to disable permissions for all of the available scopes:

permissions: {}

您可以使用 permissions 键来添加和删除复刻仓库的读取权限,但通常不能授予写入权限。 此行为的例外情况是,管理员在 GitHub Actions 设置中选择了 Send write tokens to workflows from pull requests(从拉取请求发送写入令牌到工作流程)选项。 更多信息请参阅“管理仓库的 GitHub Actions 设置”。

Example: Assigning permissions to GITHUB_TOKEN

此示例显示为将要应用到工作流程中所有作业的 GITHUB_TOKEN 设置的权限。 所有权限都被授予读取权限。

name: "My workflow"

on: [ push ]

permissions: read-all

jobs:
  ...

为特定作业分配权限

For a specific job, you can use jobs.<job_id>.permissions to modify the default permissions granted to the GITHUB_TOKEN, adding or removing access as required, so that you only allow the minimum required access. 更多信息请参阅“工作流程中的身份验证

通过在工作定义中指定权限,您可以根据需要为每个作业的 GITHUB_TOKEN 配置一组不同的权限。 或者,您也可以为工作流程中的所有作业指定权限。 有关在工作流程级别定义权限的信息,请参阅 permissions

Available scopes and access values:

permissions:
  actions: read|write|none
  checks: read|write|none
  contents: read|write|none
  deployments: read|write|none
  issues: read|write|none
  discussions: read|write|none
  packages: read|write|none
  pages: read|write|none
  pull-requests: read|write|none
  repository-projects: read|write|none
  security-events: read|write|none
  statuses: read|write|none

If you specify the access for any of these scopes, all of those that are not specified are set to none.

You can use the following syntax to define read or write access for all of the available scopes:

permissions: read-all|write-all

You can use the following syntax to disable permissions for all of the available scopes:

permissions: {}

您可以使用 permissions 键来添加和删除复刻仓库的读取权限,但通常不能授予写入权限。 此行为的例外情况是,管理员在 GitHub Actions 设置中选择了 Send write tokens to workflows from pull requests(从拉取请求发送写入令牌到工作流程)选项。 更多信息请参阅“管理仓库的 GitHub Actions 设置”。

Example: Setting permissions for a specific job

此示例显示为将要应用到作业 staleGITHUB_TOKEN 设置的权限。 对于 issuespull-requests 拉取请求,授予写入访问权限。 所有其他范围将没有访问权限。

jobs:
  stale:
    runs-on: ubuntu-latest

    permissions:
      issues: write
      pull-requests: write

    steps:
      - uses: actions/stale@v4