ci: add GitHub token permissions for workflows by varunsh-coder · Pull Request #47652 · pandas-dev/pandas (original) (raw)

If we set Read repository contents permission in our repository settings, would we then only need to specify the write permissions when needed?

Hi @mroeschke yes, that is true. At the same time, it is a best practice to set the permissions in the workflow files explicitly.

• The permissions are encapsulated with the workflow file, so easier to review and version (same reason applies for other as-code files)
• If someone forks the repo, the repository settings are not copied over, so the workflow in the forked repo is not secure. Whereas if the workflow file has explicit permissions, the settings are copied over.

So, setting Read repository contents permission in the repo setting is a good idea as future workflows in the repo will be secure-by-default. In addition, I would also recommend setting permissions explicitly in the workflow files.