#least-privilege
Tagged “least-privilege”
2 articlesSecurity & supply chain
GitHub Actions hands fork triggers a read-only cache token
GitHub Actions now issues read-only cache tokens to workflow events fired from outside a repository's collaborator set, applying least privilege to the default-branch cache so untrusted triggers cannot poison entries the next push reuses.
Jun 30, 2026 · Tomás VegaSecurity & supply chainGitHub Agentic Workflows drop personal access tokens for the built-in Actions token
Agentic workflows on GitHub can now authenticate with the ephemeral GITHUB_TOKEN instead of a long-lived personal access token. It is a quiet credential-hygiene win that closes one of the messier blast radii in agent-driven CI.
Jun 15, 2026 · Tomás Vega