Introduction
Architecture
Introduction
IntroductionPromote an image in Amazon ECRDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryStore an object on Amazon S3Retrieve an object from Amazon S3
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Argo WorkflowsDeploy a binary with EC2Deploy to ECSRender an ECS task definitionBuild a container image with KanikoDeploy with OctopusDeploy with Spinnaker
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxFind Security BugsGitHub Security ScannerGosecMendNexus IQSnykSonarQube bundledSonarQube
IntroductionMendSnyk
Components

jobs.<job_id>.permissions

1 minute read

Use jobs.<job_id>.permissions to modify the default permissions granted to the cloudbees.scm.token. Be sure to only allow the minimum required access.

If you specify permissions for the cloudbees.scm.token within a job definition, they are only available for that job. To specify a single set of permissions for all jobs in a workflow, specify the permissions in the workflow definition.

In the following table, each permission setting allowed is listed next to its available scope. If you set permissions for a single scope, by default the other (unset) scope is set to none. Only one permission option can be assigned to a scope.

Scope

Allows an action using cloudbees.scm.token to:

Permission assignment options allowed

scm-token-own

Determine the access the workflow job has to the repository containing the workflow.

none or read (default)

scm-token-org

Determine if the workflow job can request SCM tokens for other repositories within the organization.

none (default) or read

Defining access for the token scopes

The cloudbees.api.token is an OpenID Connect (OIDC) token that can be used to access platform and third-party APIs, but is not for Git access.

You can define the access that the cloudbees.scm.token will permit by specifying read or none as the value of the available scopes within the permissions key.

permissions:
  scm-token-own: read|none
  scm-token-org: read|none

Use {} to disable permissions for all the available scopes, as follows:

permissions: {}

Example usage

In the following example, permissions are set for the cloudbees.scm.token that only apply to the job named stale. Read access is granted for the scm-token-org scope. Other scopes have no access.

jobs:
  stale:

    permissions:
      scm-token-org: read

    steps:
      - uses: actions/stale@v5
jobs.<job_id>.outputs
jobs.<job_id>.steps