Permission options for GITHUB_TOKEN

• Add the ones you need, it’ll set the rest to none (docs)
• You can do this at root or per-job level

permissions:
  actions: read|write|none
  checks: read|write|none
  contents: read|write|none
  deployments: read|write|none
  id-token: read|write|none
  issues: read|write|none
  discussions: read|write|none
  packages: read|write|none
  pages: read|write|none
  pull-requests: read|write|none
  repository-projects: read|write|none
  security-events: read|write|none
  statuses: read|write|none

• Sometimes you need none (when your workflow doesn’t need to access its repo)

permissions: {}

Improve supply chain security with GitHub settings

More automation means you need more guardrails

• In GitHub repo settings, add a main branch protection rule
• In GitHub Security tab, enable everything
• For bigger teams, add a CODEOWNERS file
• (Shameless plug) 📧 get on my newsletter to get updates on my security steps guide

Real-world image tagging

• Production tags should be immutable
• <something>-<date> or <something>-<git-sha> are good
• Even <something>-<date>-<git-sha> is good
  • This helps humans trace when it was built and what commit it came from
• Keep offering latest for friendly dev use, but don’t use it in prod
• Build and store PR images with a pr-<number> tag
• Maybe, split "CI builds" and "Production-ready builds" into separate repos or registries
• Docker Metadata Action can do all this