1 minute read

Use jobs.<job_id>.permissions to modify the default permissions granted to the cloudbees.scm.token. Be sure to only allow the minimum required access.

If you specify permissions for the cloudbees.scm.token within a job definition, they are only available for that job. To specify a single set of permissions for all jobs in a workflow, specify the permissions in the workflow definition.

In the following table, each permission setting allowed is listed next to its available scope. If you set permissions for a single scope, by default the other (unset) scope is set to none. Only one permission option can be assigned to a scope.


Allows an action using cloudbees.scm.token to:

Permission assignment options allowed


Determine the access the workflow job has to the repository containing the workflow.

none or read (default)


Determine if the workflow job can request SCM tokens for other repositories within the organization.

none (default) or read

Defining access for the token scopes

The cloudbees.api.token is an OpenID Connect (OIDC) token that can be used to access platform and third-party APIs, but is not for Git access.

You can define the access that the cloudbees.scm.token will permit by specifying read or none as the value of the available scopes within the permissions key.

permissions: scm-token-own: read|none scm-token-org: read|none

Use {} to disable permissions for all the available scopes, as follows:

permissions: {}

Example usage

In the following example, permissions are set for the cloudbees.scm.token that only apply to the job named stale. Read access is granted for the scm-token-org scope. Other scopes have no access.

jobs: stale: permissions: scm-token-org: read steps: - uses: actions/stale@v5