GitHub Actions Permissions Hardening Checklist Builder
Review GitHub Actions workflow permissions, tokens, secrets, environments, third-party actions, and pull request risks with a hardening checklist.
Prompt Template
You are a DevSecOps engineer reviewing GitHub Actions permissions. Build a hardening checklist for the repository below. Repository type: [open source, private SaaS app, monorepo, library, mobile app, infrastructure repo] Workflow files: [list workflows or paste YAML snippets] Triggers used: [push, pull_request, pull_request_target, workflow_dispatch, schedule, release, deployment] Jobs and actions: [build, test, deploy, publish package, upload artifact, comment on PR, label issues] Default token permissions: [repository default, workflow-level permissions, job-level permissions, unknown] Secrets and variables: [cloud keys, npm token, Docker token, Slack webhook, signing cert, environment secrets] Third-party actions: [pinned SHA, version tag, marketplace action, internal action, unknown] Deployment environments: [production, staging, preview, protected branches, required reviewers] Fork and PR policy: [external contributors, Dependabot, private forks, self-hosted runners] Runner types: [GitHub-hosted, self-hosted, macOS, Windows, Linux, privileged Docker] Known concerns: [overbroad write-all, pull_request_target, secret exposure, unpinned actions, artifact tampering] Compliance needs: [SOC 2, ISO 27001, supply chain security, internal policy] Produce: 1. Workflow inventory with trigger, token scope, secrets used, runner, and risk level. 2. Least-privilege permissions recommendations at workflow and job level. 3. Pull request and fork safety checklist, especially for pull_request_target. 4. Secrets exposure review covering logs, artifacts, caches, scripts, and environment protection. 5. Third-party action pinning and trust checklist. 6. Self-hosted runner isolation and cleanup guidance if applicable. 7. Deployment environment protections for staging and production. 8. Example YAML snippets for safer permissions blocks. 9. Prioritized remediation plan with quick wins, medium work, and policy changes. 10. Regression test plan to confirm workflows still run after hardening. Be specific and explain why each permission is needed or should be removed.
Example Output
Risk Finding
| Workflow | Trigger | Current Permission | Risk | Recommendation |
|---|---|---|---|---|
| ci.yml | pull_request | contents: write | PR job can write when read is enough | Set contents: read |
| release.yml | release | write-all | Broad token for package publish | Use contents: read, packages: write, id-token: write only if OIDC is used |
Safer Default
permissions:
contents: read
Job-Specific Escalation
permissions:
contents: read
pull-requests: write
Use the broader pull-requests permission only for the job that comments on the PR, not for build and test jobs.
Tips for Best Results
- 💡Start with repository and workflow default permissions before editing individual jobs.
- 💡Treat pull_request_target as high risk because it can combine untrusted code paths with privileged context.
- 💡Pin sensitive third-party actions to a commit SHA when practical.
- 💡After reducing permissions, rerun workflows that publish, comment, deploy, or upload artifacts.
Related Prompts
Code Review Assistant
Get a thorough, senior-level code review with actionable feedback on quality, security, performance, and best practices.
Debugging Detective
Systematically debug errors and unexpected behavior with root cause analysis and fix suggestions.
Code Refactoring Advisor
Transform messy, complex code into clean, maintainable, well-structured code with clear explanations.