diff --git a/content/actions/security-guides/automatic-token-authentication.md b/content/actions/security-guides/automatic-token-authentication.md index ba4f2ce5f549..6571dd7b2adc 100644 --- a/content/actions/security-guides/automatic-token-authentication.md +++ b/content/actions/security-guides/automatic-token-authentication.md @@ -77,7 +77,7 @@ For information about the API endpoints {% data variables.product.prodname_githu The following table shows the permissions granted to the `GITHUB_TOKEN` by default. People with admin permissions to an {% ifversion not ghes %}enterprise, organization, or repository,{% else %}organization or repository{% endif %} can set the default permissions to be either permissive or restricted. For information on how to set the default permissions for the `GITHUB_TOKEN` for your enterprise, organization, or repository, see "[Enforcing policies for {% data variables.product.prodname_actions %} in your enterprise](/admin/policies/enforcing-policies-for-your-enterprise/enforcing-github-actions-policies-for-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise)," "[Disabling or limiting {% data variables.product.prodname_actions %} for your organization](/github/setting-up-and-managing-organizations-and-teams/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization)," or "[Managing {% data variables.product.prodname_actions %} settings for a repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository)." -| Scope | Default access
(permissive) | Default access
(restricted) | Maximum access
by forked repos | +| Scope | Default access
(permissive) | Default access
(restricted) | Maximum access for
pull requests from
public forked repositories[†] | |---------------|-----------------------------|-----------------------------|--------------------------------| | actions | read/write | none | read | | checks | read/write | none | read | @@ -93,6 +93,8 @@ The following table shows the permissions granted to the `GITHUB_TOKEN` by defau | security-events | read/write | none | read | | statuses | read/write | none | read | +[†] Private repositories can control if pull requests from forks can run workflows, and configure the permissions assigned to `GITHUB_TOKEN`. For more information, see "[Managing GitHub Actions settings for a repository](/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories)." + {% data reusables.actions.workflow-runs-dependabot-note %} ### Modifying the permissions for the `GITHUB_TOKEN`