Use jobs.<job_id>.permissions
to set job-level permissions. Grant only the minimum required permissions (PoLP). Each permission key accepts exactly one scope value. If a key value is unspecified in the job, then the workflow-level value is applied.
For scope and best-practice information, refer to Permissions.
Usage examples
The cloudbees.api.token
is an OpenID Connect (OIDC) token for accessing CloudBees platform and third-party APIs.
It does not provide Git repository access.
For key and value details, refer to Permission Scope.
-
Permissions are defined by specifying values for the available scopes within the
permissions
block:permissions: scm-token-own: read|none scm-token-org: read|none id-token: write|none
-
All scopes can be disabled by assigning an empty block:
permissions: {}
-
The following example defines permissions for the job
stale
. Thescm-token-org
scope is grantedread
access, while all other scopes remainnone
.jobs: stale: permissions: scm-token-org: read steps: - uses: actions/stale@v5