Skip to main content

GITHUB_TOKEN reference

Find information about the properties, permissions, and behavior of the GITHUB_TOKEN used in GitHub Actions workflows.

Permissions for the GITHUB_TOKEN

For information about the API endpoints GitHub Apps can access with each permission, see GitHub Appに必要な権限.

When a workflow is triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission, even when it is triggered from a public fork. For more information, see ワークフローをトリガーするイベント.

Dependabot pull request によってトリガーされるワークフロー実行は、フォークされたリポジトリからのものであるかのように実行されるため、読み取り専用の GITHUB_TOKEN を使用します。 それらのワークフローの実行は、シークレットにはアクセスできません。 これらのワークフローをセキュリティで保護するための戦略については、「GitHub Actions のセキュリティ強化」を参照してください。

The following table shows the permissions granted to the GITHUB_TOKEN by default. People with admin permissions to an enterprise, organization, or repository, can set the default permissions to be either permissive or restricted. For information on how to set the default permissions for the GITHUB_TOKEN for your enterprise, organization, or repository, see エンタープライズで GitHub Actions のポリシーを適用する, Organization について GitHub Actions を無効化または制限する, or リポジトリの GitHub Actions の設定を管理する.

ScopeDefault access
(permissive)
Default access
(restricted)
Maximum access for
pull requests from
public forked repositories
actionsread/writenoneread
attestationsread/writenoneread
checksread/writenoneread
contentsread/writereadread
deploymentsread/writenoneread
discussionsread/writenoneread
id-tokennonenonenone
issuesread/writenoneread
metadatareadreadread
modelsreadnonenone
packagesread/writereadread
pagesread/writenoneread
pull-requestsread/writenoneread
security-eventsread/writenoneread
statusesread/writenoneread

How permissions are calculated for a workflow job

The permissions for the GITHUB_TOKEN are initially set to the default setting for the enterprise, organization, or repository. If the default is set to the restricted permissions at any of these levels then this will apply to the relevant repositories. For example, if you choose the restricted default at the organization level then all repositories in that organization will use the restricted permissions as the default. The permissions are then adjusted based on any configuration within the workflow file, first at the workflow level and then at the job level. Finally, if the workflow was triggered by a pull request from a forked repository, and the Send write tokens to workflows from pull requests setting is not selected, the permissions are adjusted to change any write permissions to read only.

Next steps