New tool to secure your GitHub Actions

The public beta release of actions-permissions introduces a tool designed to enhance the security of GitHub Actions workflows by recommending the minimal permissions necessary for their operation. Historically, GitHub workflow tokens had broad read and write permissions by default, but a finer-grained permission model was introduced in 2021, setting new repositories and organizations to read-only by default. Despite this, many workflows still operate with more permissions than needed. The transition to a least-privilege model is encouraged as a best practice but poses challenges, as altering permission settings can disrupt existing workflows that rely on broader permissions. To facilitate this transition, GitHub has released a set of Actions that monitor and enumerate permissions required by workflows, with the Monitor action installing a local proxy to assess interactions with the GitHub API and the Advisor action summarizing permission recommendations. Users can apply these recommendations to enhance security and stop using the tools once the appropriate permissions are set, with the flexibility to adjust permissions for future workflow iterations. The beta aims to assist users in adopting a more secure permission model, and feedback is encouraged to refine the tool.