jobs.<job_id>.permissions

1 minute read
On this page

Use jobs.<job_id>.permissions to set job-level permissions. Grant only the minimum required permissions (PoLP). Each permission key accepts exactly one scope value. If a key value is unspecified in the job, then the workflow-level value is applied.

For scope and best-practice information, refer to Permissions.

Usage examples

The cloudbees.api.token is an OpenID Connect (OIDC) token for accessing CloudBees platform and third-party APIs. It does not provide Git repository access.

For key and value details, refer to Permission Scope.

  • Permissions are defined by specifying values for the available scopes within the permissions block:

    permissions: scm-token-own: read|none scm-token-org: read|none id-token: write|none
  • All scopes can be disabled by assigning an empty block:

    permissions: {}
  • The following example defines permissions for the job stale. The scm-token-org scope is granted read access, while all other scopes remain none.

    jobs: stale: permissions: scm-token-org: read steps: - uses: actions/stale@v5