You can use permissions to modify the default permissions granted to the GITHUB_TOKEN, adding or removing access as required, so that you only allow the minimum required access. For more information, see "Authentication in a workflow."

You can use permissions either as a top-level key, to apply to all jobs in the workflow, or within specific jobs. When you add the permissions key within a specific job, all actions and run commands within that job that use the GITHUB_TOKEN gain the access rights you specify. For more information, see jobs.<job_id>.permissions.

Each property can have a value of read, write or none.

If you specify the access for any of these scopes, all of those that are not specified are set to none.

You can use the following syntax to define read or write access for all of the available scopes:

import { workflow } from 'https://deno.land/x/actionify@0.3.0/mod.ts';

const ci = workflow({ name: 'ci' })
  .on('push')
  .permissions('write-all') // => `read-all` for read access

To disable permissions for all available scopes use the following:

import { workflow } from 'https://deno.land/x/actionify@0.3.0/mod.ts';

const ci = workflow({ name: 'ci' })
  .permissions(false)