[Docs]: Link to GitHub docs on token permissions in excessive-permissions audit no longer has the list of permissions

[jfrost-mo]

Pre-submission checks

• I am not filing a feature request. These should be filed via the feature request form instead.
• I have checked the Troubleshooting Guide for my problem.
• I have looked through both the open and closed issues for a duplicate report.

zizmor version

Latest

Expected behavior

Link to GitHub docs on token permissions in excessive-permissions audit no longer has the list of permissions

The current link goes to:
https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

But this no longer appears to show the useful information that was there before:
https://web.archive.org/web/20250428200142/https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

A cursory search through the GitHub docs indicates this may have been removed without replacement.

Actual behavior

No token permission information shown. Specifically I was interested in knowing whether the phrase "users often don't realize that the default GITHUB_TOKEN permissions can be very broad" applied to the read-only token setting that most repositories now use, rather than the older read/write token setting.

Reproduction steps

Go to https://docs.zizmor.sh/audits/#excessive-permissions

Click on link to GitHub Docs.

Observe the lack of token permission information.

Logs

Additional context

No response

[woodruffw]

Hi @jfrost-mo, thanks for the report.

That's frustrating, I don't understand why GitHub would remove those docs without a replacement.

Specifically I was interested in knowing whether the phrase "users often don't realize that the default GITHUB_TOKEN permissions can be very broad" applied to the read-only token setting that most repositories now use, rather than the older read/write token setting.

It was written with the older default in mind (which still applies to a very large number of repos), but IMO it's true of the new default too: global read is definitely not ideal when most workflows/jobs should only be given read access to the resources they actually need. It's definitely less serious with the new default, however.

(Ideally zizmor would be able to tell which default a repo is using, but repo age via the API is only a weak proxy since an admin could have changed the default on the repo or org level.)

[woodruffw]

I asked some folks I know at GH, and they confirmed that this was removed semi-intentionally -- it turns out there are some enterprise user cases where the default permissions documentation was misleading, and so they removed it to minimize confusion.

(I personally find this confusing, since the overwhelming majority of users do probably have these defaults adhere to their usage. But I digress, since it's not my decision to make.)

Short term, the zizmor docs will probably just need to carry some more context here + link to different pages:

• https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#defining-access-for-the-github_token-scopes-1
• https://docs.github.com/en/enterprise-cloud@latest/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization