For each of the available scopes, shown in the table below, you can assign one of the permissions: read, write, or none. If you specify the access for any of these scopes, all of those that are not specified are set to none.
Available scopes and details of what each allows an action to do:
| Scope | Allows an action using GITHUB_TOKEN to |
|---|---|
actions |
Work with GitHub Actions. For example, actions: write permits an action to cancel a workflow run. For more information, see "AUTOTITLE." |
checks |
Work with check runs and check suites. For example, checks: write permits an action to create a check run. For more information, see "AUTOTITLE." |
contents |
Work with the contents of the repository. For example, contents: read permits an action to list the commits, and contents:write allows the action to create a release. For more information, see "AUTOTITLE." |
deployments |
Work with deployments. For example, deployments: write permits an action to create a new deployment. For more information, see "AUTOTITLE." |
| {%- ifversion discussions %} | |
discussions |
Work with GitHub Discussions. For example, discussions: write permits an action to close or delete a discussion. For more information, see "AUTOTITLE." |
| {%- endif %} | |
| {%- ifversion fpt or ghec %} | |
id-token |
Fetch an OpenID Connect (OIDC) token. This requires id-token: write. For more information, see "AUTOTITLE" |
| {%- endif %} | |
issues |
Work with issues. For example, issues: write permits an action to add a comment to an issue. For more information, see "AUTOTITLE." |
packages |
Work with GitHub Packages. For example, packages: write permits an action to upload and publish packages on GitHub Packages. For more information, see "AUTOTITLE." |
pages |
Work with GitHub Pages. For example, pages: write permits an action to request a GitHub Pages build. For more information, see "AUTOTITLE." |
pull-requests |
Work with pull requests. For example, pull-requests: write permits an action to add a label to a pull request. For more information, see "AUTOTITLE." |
repository-projects |
Work with GitHub projects (classic). For example, repository-projects: write permits an action to add a column to a project (classic). For more information, see "AUTOTITLE." |
security-events |
Work with GitHub code scanning and Dependabot alerts. For example, security-events: read permits an action to list the Dependabot alerts for the repository, and security-events: write allows an action to update the status of a code scanning alert. For more information, see "Repository permissions for 'Code scanning alerts'" and "Repository permissions for 'Dependabot alerts'" in "Permissions required for GitHub Apps." |
statuses |
Work with commit statuses. For example, statuses:read permits an action to list the commit statuses for a given reference. For more information, see "AUTOTITLE." |