What permissions does GITHUB_TOKEN require for releases from a GitHub Action

Question

I'm trying to limit the scope of the GITHUB_TOKEN actions on my repository have access to. One such action creates a draft release in my repository -- and I would like it only to be able to create that draft and nothing else.

Taking a look at the available permissions here: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions there isn't one specifically for releases (or even tagging really). Is it considered a "deployment"? Is there something I'm missing here?

Answer 1

To allow your GitHub Action creating a draft release, you will have to grant your GITHUB_TOKEN access to POST /repos/:owner/:repo/releases using the contents: write permission.

Unfortunately this permission is quite broad and allows writing all other content related stuff like commits, jobs, branches, etc. There is no fine grained scope permission that only allows creating a draft release.

Source: https://docs.github.com/en/rest/reference/permissions-required-for-github-apps#permission-on-contents

Note that Personal Access Token (PAT) have the same problem with a broad repo scope:

Grants full access to repositories, including private repositories. That includes read/write access to code, commit statuses, repository and organization projects, invitations, collaborators, adding team memberships, deployment statuses, and repository webhooks for repositories and organizations. Also grants ability to manage user projects.

Answer 2

As explained through the GitHub documentation, the GITHUB_TOKEN doesn't have all available permissions.

If you want to perform specific operations in your workflows involving other permissions, you'll need to create a PAT (Personal Access Token) with the wished permissions and use it instead of the GITHUB_TOKEN.

Reference from the GitHub Community about GITHUB_TOKEN scope