Skip to content

Permissions Reference

Required GitHub Actions permissions for Go Gamma Actions workflows.

Overview

Different workflows require different permission levels:

Workflow Minimum Permissions
test contents: read
lint contents: read
security contents: read, security-events: write
build contents: read
ci contents: read, security-events: write
release contents: write

Permission Definitions

contents: read

  • Clone repository
  • Read files
  • Access git history

Required by: All workflows

contents: write

  • Create tags
  • Create releases
  • Push changes

Required by: release workflow

security-events: write

  • Upload SARIF reports
  • Create security alerts

Required by: security workflow (when upload-sarif: true)

Configuration Examples

Minimal (Test Only)

jobs:
  test:
    uses: go-gamma/actions/.github/workflows/test.yml@v1
    # Uses default permissions (contents: read)

With Security Scanning

permissions:
  contents: read
  security-events: write

jobs:
  ci:
    uses: go-gamma/actions/.github/workflows/ci.yml@v1
    permissions:
      contents: read
      security-events: write

Release Workflow

permissions:
  contents: write

jobs:
  release:
    uses: go-gamma/actions/.github/workflows/release.yml@v1
    permissions:
      contents: write

Full CI with All Features

permissions:
  contents: read
  security-events: write

jobs:
  ci:
    uses: go-gamma/actions/.github/workflows/ci.yml@v1
    permissions:
      contents: read
      security-events: write
    with:
      upload-sarif: true

Troubleshooting

"Resource not accessible by integration"

This error means insufficient permissions.

Solution: Add explicit permissions:

permissions:
  contents: read
  security-events: write

jobs:
  ci:
    uses: go-gamma/actions/.github/workflows/ci.yml@v1
    permissions:
      contents: read
      security-events: write

SARIF Upload Fails

For private repositories, you may need GitHub Advanced Security.

Workaround: Disable SARIF upload:

with:
  upload-sarif: false

Release Creation Fails

Ensure contents: write permission:

permissions:
  contents: write

Best Practices

Principle of Least Privilege

Only request permissions you need:

# ✅ Good - minimal permissions
permissions:
  contents: read

# ⚠️ Avoid - overly permissive
permissions: write-all

Workflow-Level Permissions

Set at workflow level, override at job level:

permissions:
  contents: read

jobs:
  test:
    # Inherits contents: read

  release:
    permissions:
      contents: write  # Override for this job