GA-C004: Missing permissions block
Info Security
Why This Matters
Without a top-level `permissions` block, the GITHUB_TOKEN inherits the repository's default permissions. Repositories created before February 2023 default to `write-all`. Adding explicit permissions ensures the principle of least privilege regardless of repository settings.
How to Fix
Add a top-level permissions block with minimum required scopes
Before (incorrect)
name: CI
on: pushAfter (correct)
name: CI
on: push
permissions:
contents: readRule Details
- Rule Code
- GA-C004
- Severity
- Info
- Category
- Security